• RELEVANCY SCORE 5.36

## DB:5.36:Problem Loading Keystore File Into Java Keystore Object f1

Hello all,

I have a problem loading "pkcs12" format keystore into the Keystore object, following is the code

---code------

InputStream is = new FileInputStream("c:/keystore/my_keystore");
KeyStore ks = KeyStore.getInstance("PKCS12");
System.out.println("KeyStore instance created.....");
ks.load(is,"password".toCharArray());
System.out.println("KeyStore loaded.....");
is.close();

--------------------------------
At runtime i am getting the following Exception

-----Error----------------------

KeyStore instance created.....
java.io.IOException: toDerInputStream rejects tag type 2
Exception in thread "main" java.lang.NullPointerException

--------------------------------

I have no clue on why this exception is thrown even after the keystore name, keystore file path and keystore passward being correct.

Any help in this regard will be appreciated.

I am running out of time, somebody please send me a reply on this topic as early as possible

Thanks in advance

Raju Ponnam

## DB:5.36:Problem Loading Keystore File Into Java Keystore Object f1

Thank you Amelin for your reply, infact i am using JCSI as SSL Client and a servlet which is in the JWS path is sucessfully using this keystore and establishing a connection to the server i want but the same code if i am using in a simple java file importing all the class used by the servlet for implementing the ssl connection, i am getting an exception saying "IOException: toDerInputStream rejects tag type 2" at runtime. can you please tell me why this exception is thrown.

Thanks in advance

Raju Ponnam

• RELEVANCY SCORE 3.78

## DB:3.78:Initalizing Keystore, Without .Keystore File d3

Hello,

I have two private/public key pairs and certificate for a client/server program. It uses and relies on client side authentification via SSL.

All this information is stored in two java keystores. Unfortunately the KeyStore class happens to be vendor depended an so are its keystore files (.keystore).

Because of that I can't read in the keystores when I use another vendor's JDK, for example, the one under freebsd. They are not compatible!

However, I have found a workaround to solve the problem, but I need some help.

I figured out that I could import the certifcates in the X509 vendor independent format. I could probably also do this with the two private keys (what format so?).

Then I could initalize the keystore. I have managed to read in the X509 certificates, but when I try to set them in the KeyStore I get the following Exception:

java.security.KeyStoreException: Uninitialized keystore

I guess this happens, because I did not call the load(InputStream, string) method to initialize the KeyStore.

But this is not an option, since I it won't work on a different vendors JDK for the reasons explained above.

So my first question is how do I create an empty KeyStore object, which I can initialize by hand? I want to set the certificate and the private key myself.

The second question would be, how do I extract the private key from the .keystore and save it in a vendor independet way, so that I can read it in on another vendors Virtual Maschine into memory and use it to initialize the KeyStore?

Here is the code snippet that raises the exception

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
KeyStore keyStore = KeyStore.getInstance("jceks");

// This line does not work with another vendor's JDK - at least not on freebsd
//keyStore.load(getAsInputStreamFromJar(".clientkeystore"), password);

// Here the solution starts... We read in the first certificate - no problems here.
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
X509Certificate xCertificate = (X509Certificate) certificateFactory.generateCertificate(getAsInputStreamFromJar("clientX509.cert"));

// This line raises the exception. But I can't do a "new KeyStore". Where do I get a Keystore, which I can initalize?
keyStore.setCertificateEntry("sepclient", xCertificate);

## DB:3.78:Initalizing Keystore, Without .Keystore File d3

Hi,
for the first queation the API offers a simple solution which should work for your problem too:
In order to create an empty keystore, or if the keystore cannot be initialized from a stream (e.g., because it is stored on a hardware token device), you pass null as the stream argument.

For the second question concerning the retrieval of private keys look at the following post http://forum.java.sun.com/thread.jspa?threadID=589343tstart=25 where a similar problem has been discussed.

So long.

• RELEVANCY SCORE 3.72

## DB:3.72:Pi7.3 Dual Stack : Unable To View The Keystore View Of Nwa After Import Of .P12 File pc

Hi,We created one new keystore in NWA and imported .p12 file (created from openSSL) in the same. As soon as we did that there was java security dump was raised on the page(as attached) and after every time we are trying to view the same keystore its kind of giving dump. Though we are able to create new keystore views and import keys into the new ones but this keystore view is not accessible.Our concern is that we need to delete this keystore but not sure how do we delete this because as soon as we try to select keystore view it is giving dump. Can anyone suggest how do we delete the keystore in this case ?Appreciate quick help !Thanks,Amit

## DB:3.72:Pi7.3 Dual Stack : Unable To View The Keystore View Of Nwa After Import Of .P12 File pc

In which keystore are you trying to put the certificate?You should use TrustedCAs

• RELEVANCY SCORE 3.69

## DB:3.69:How To Store Private/Public Key In Keystore ff

I can not simply make sense of this KeySTore Class.

I have private and public key and I simply want to use them in KeyStore to use later.

KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA");
SecureRandom random = SecureRandom.getInstance("SHA1PRNG", "SUN"); java.security.NoSuchProviderException
keyGen.initialize(512 , random);
KeyPair keypair = keyGen.genKeyPair();
PrivateKey priKey = keypair.getPrivate();
PublicKey pubKey = keypair.getPublic();

File f = new File("c:\keystore");
// Create an empty keystore object
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());

?????????????
// code to store private and public key in keystore

// Save the new keystore contents
FileOutputStream out = new FileOutputStream(keystoreFile);
keystore.store(out, password.toCharArray());
out.close();

Can some one please help me with missing code.

## DB:3.69:How To Store Private/Public Key In Keystore ff

If you don't mind coding to Sun's internal classes (sun.security.*), check out the source of the keytool command line tool. See here, too:

http://forum.java.sun.com/thread.jspa?threadID=5164712

Of course, you can always generate the JKS keystore file with keytool, create a key pair and a self-signed certificate and continue from there.

Regards,
Anestis

• RELEVANCY SCORE 3.68

## DB:3.68:Problem With Java Keystore And Certificates (Unable To Find Valid Cert Path jk

Our program is made so that when a certificate is not signed by a trusted Certification Authority, it will ask the user if he/her wishes to trust the certificate or not. If they decide to trust the certificate, it will accept the self signed certificate and import it into the keystore and then use that certificate to log the user in. This works fine. It will import the certificate into the keystore and use the specified ip address to establish a connection with the LDAP server (Active Directory in our case) and authenticate properly. However, the problem arises when we then try and connect to a different ip address (without restarting tomcat, if we restart tomcat, it works fine...). It imports the certificate into the keystore fine, but always gives the exception

"Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

and does not authenticate with our LDAP server (which is Active Directory). The problem seems to be that it is no longer looking at the System.setProperty("javax.net.ssl.trustStore", myTrustStore);
I have tried multiple times to just reset this property and try and "force" it to read from my specified trust file when this error happens. I have also imported the certificates directly into the java_home/jre/lib/security/cacerts and java_home/jre/lib/security/jssecacerts directories as the java documentation says that it will look at those directories first to see if it can find a trusted certificate. However, this does not work either. The only way that I can get this to work is by restarting tomcat all together.

If both of the certificates are already in the keystore before tomcat is started up, everything will work perfect. Again, the only problem is after first connecting to an IP address using TLS and importing the certificate, and then trying to connect to another IP address with a different certificate and import it into the keystore.

One of the interesting features of this is that after the second IP address has failed, I can change the IP address back to the first one that authenticated successfully and authenticate successfully again (ie
I use ip 1.1.1.1, import self signed certificate, authenticates successfully
login with ip 2.2.2.2 import self signed certificate, FAILS
login again with 1.1.1.1 (doesn't import certificate because it is already in keystore) successfully authenticates

Also, I am using java 1.5.0_03.

Any help is greatly appreciated as I've been trying to figure this out for over a week now.

Thanks

## DB:3.68:Problem With Java Keystore And Certificates (Unable To Find Valid Cert Path jk

Our program is made so that when a certificate is not signed by a trusted Certification Authority, it will ask the user if he/her wishes to trust the certificate or not. If they decide to trust the certificate, it will accept the self signed certificate and import it into the keystore and then use that certificate to log the user in. This works fine. It will import the certificate into the keystore and use the specified ip address to establish a connection with the LDAP server (Active Directory in our case) and authenticate properly. However, the problem arises when we then try and connect to a different ip address (without restarting tomcat, if we restart tomcat, it works fine...). It imports the certificate into the keystore fine, but always gives the exception

"Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

and does not authenticate with our LDAP server (which is Active Directory). The problem seems to be that it is no longer looking at the System.setProperty("javax.net.ssl.trustStore", myTrustStore);
I have tried multiple times to just reset this property and try and "force" it to read from my specified trust file when this error happens. I have also imported the certificates directly into the java_home/jre/lib/security/cacerts and java_home/jre/lib/security/jssecacerts directories as the java documentation says that it will look at those directories first to see if it can find a trusted certificate. However, this does not work either. The only way that I can get this to work is by restarting tomcat all together.

If both of the certificates are already in the keystore before tomcat is started up, everything will work perfect. Again, the only problem is after first connecting to an IP address using TLS and importing the certificate, and then trying to connect to another IP address with a different certificate and import it into the keystore.

One of the interesting features of this is that after the second IP address has failed, I can change the IP address back to the first one that authenticated successfully and authenticate successfully again (ie
I use ip 1.1.1.1, import self signed certificate, authenticates successfully
login with ip 2.2.2.2 import self signed certificate, FAILS
login again with 1.1.1.1 (doesn't import certificate because it is already in keystore) successfully authenticates

Also, I am using java 1.5.0_03.

Any help is greatly appreciated as I've been trying to figure this out for over a week now.

Thanks

• RELEVANCY SCORE 3.58

## DB:3.58:Ip-Ivr 8 With Https 89

Hi to everybody

I have a problem with https WebServices with self-signed certified.

In NetBean i have realized a java class, after i add certificate to keystore. I send a Soap Request message and receive a Soap Response message

It's work fine. Then I have upload my jar into IP-IVR, but i don't know how add self-signed certificate to keystore of JVM

Any idea ??? It's possibile to do??

Into cisco document I have read

"
Typically, the UCCX Engine's keystore would be invoked when script steps such as Get URL Document are
connected to a HTTPS target. The default Java keystore contained preinstalled root certificates from
well−known third party Certificate Authorities (CA). But, since the default Java keystore was protected by
Remote Support Account/root access, customers and partners were not able to upload certificates to the
keystore for SSL targets with self−signed certificates or other certificate chains that required

manually−populating the keystore with a certificate."

I have IP-IVR 8.0.2

thank you

Fabio

## DB:3.58:Ip-Ivr 8 With Https 89

Open a Support Case with Cisco TAC..this is the only way to get the cert in the java trust store in a supported means..

• RELEVANCY SCORE 3.57

## DB:3.57:Suppress Keystore Password Prompt d1

I have imported a client side certificate into the Java keystore but at runtime I am prompted for the password to the keystore. I have set the runtime paremeter -Djavax.net.ssl.keyStorePassword but it doesnt appear to take effect. I have to type in the default password 'changeit' when prompted. Any suggestions on how to set the password?

## DB:3.57:Suppress Keystore Password Prompt d1

Thanks for your responses. We have a packaged software, so I will reach out to the vendor if it involves any coding

• RELEVANCY SCORE 3.56

## DB:3.56:Any Issues With Deploying Keystore To Another Computer? s1

Assuming I have created a keystore and private key using java keytool using the following command on Computer 1.

keytool -genkey -dname "CN=abc" -alias abc -keyalg "RSA" -keysize 1024 -sigalg "SHA256WITHRSA" -validity 365 -keystore "DEF.jks"

Then I use portecle to open this keystore and generate Cert Request

After I import CA reply, can I use that keystore(.jks) file on Computer 2?

## DB:3.56:Any Issues With Deploying Keystore To Another Computer? s1

Assuming I have created a keystore and private key using java keytool using the following command on Computer 1.

keytool -genkey -dname "CN=abc" -alias abc -keyalg "RSA" -keysize 1024 -sigalg "SHA256WITHRSA" -validity 365 -keystore "DEF.jks"

Then I use portecle to open this keystore and generate Cert Request

After I import CA reply, can I use that keystore(.jks) file on Computer 2?

• RELEVANCY SCORE 3.56

## DB:3.56:Re: How To Make Browser Recognise Our Certificate? 7j

I think that the problem is that the Java plug-in doesn't recognice your applet.
It can be solved by importing your certificate into the "cacerts" file that is (or should be) in this directory:
"C:\Program Files\JavaSoft\JRE\1.3.1\lib\security"
You have to move to that directory in order to update the "cacerts" keystore.
To import it you should do this:
"keytool -import -keystore cacerts -storepass changeit -file
yourcertificate.crt" (the password is literally 'changeit')

If you have problems yet I recommend you to visit the next link:
http://developer.java.sun.com/developer/qow/archive/167/index.jsp

## DB:3.56:Re: How To Make Browser Recognise Our Certificate? 7j

Hi Viravan and Hosuke,
There was a mismatch in plugins. Thanks so much...
Rajesh

• RELEVANCY SCORE 3.53

## DB:3.53:Import A Signed Public Key Into A Keystore ax

Hai all,

When I followed the steps listed at the end of the email, to create a cert request using keytool (from jdk 1.3.0), make it signed by a CA and import the signed public key into a keystore,
I got the following error when I did step 9: keytool error: java.security.cert.CertificateException: IOException: data is not sufficient
Could you please give me a help? Thanks in advance. ---

1.Generate the CA key
$openssl genrsa -rand -des -out ca.key 1024 2.Create a self signed certificate$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt

3.Setup the OpenSSL CA tools
$mkdir demoCA$ mkdir demoCA/newcerts $touch demoCA/index.txt$ cp ca.crt demoCA/ $echo "01" demoCA/serial 4.Create a new key store for the client application$ keytool -keystore testkeys -genkey - alias client

5.Export the client's public key
$keytool -keystore testkeys -certreq -alias client -file client.crs 6.Sign the client's key with our CA key$ openssl ca -config /etc/openssl.cnf -in client.crs -out client.crs.pem -keyfile ca.key

7.Convert to DER format
$openssl x509 -in client.crs.pem -out client.crs.der -outform DER 8.Import CA certificate into client's key store$ keytool -keystore testkeys -alias jsse_article_ca -import -file ca.crt

9.Import signed key into client's key store
serial = \$dir/serial default_days = 365 # Duration to certify for default_crl_days= 30 # Time before next CRL default_md = SHA1 # Message digest to use. preserve = no # Keep passed DN ordering? policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = US countryName_value = US countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = CA stateOrProvinceName_value = CA localityName = Locality Name (eg, city) localityName_default = Loc localityName_value = Loc 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Org 0.organizationName_value = Org organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = OrgUnit organizationalUnitName_value = OrgUni commonName = Common Name (eg, YOUR name) commonName_default = CN commonName_value = CN commonName_max = 64 emailAddress = Email Address emailAddress_default = foo@bar.net emailAddress_value = foo@bar.net emailAddress_max = 40 [ req_attributes ] EOCNF echo "Creating DSA params" openssl dsaparam -outform PEM -out DSAPARAM -rand /tmp/.rnd 1024 echo "Creating CA key pair and cert request" openssl req -config Config -nodes -newkey DSA:DSAPARAM -keyout certs/caprivkey.pem -out certs/req.pem echo "Signing own CA cert" openssl x509 -req -in certs/req.pem -signkey certs/caprivkey.pem -out certs/cacert.pem echo "Generating client key pair and cert in keystore" keytool -genkey -alias myalias -keyalg DSA -keysize 1024 -keypass password -storepass password -keystore Keystore -dname "CN=Common Name, OU=Org Unit, O=Org, L=Locality, S=State, C=Country" -validity 365 echo "Generating cert request" keytool -certreq -alias myalias -keypass password -storepass password -keystore Keystore -file certs/CertReq.csr echo "Signing client cert" openssl ca -config Config -policy policy_anything -batch -in certs/CertReq.csr -keyfile certs/caprivkey.pem -days 365 -cert certs/cacert.pem -outdir certs -out certs/public.pem -md SHA1 echo "Importing CA cert into keystore" keytool -import -alias CA -keystore Keystore -storepass password -noprompt -file certs/cacert.pem # Clean the certificate file, contains extra stuff from openssl sed "/^-----BEGIN CERTIFICATE-----/,/^-----END CERTIFICATE-----/!d" \ certs/public.pem certs/tmp-public.pem cp certs/tmp-public.pem certs/public.pem rm certs/tmp-public.pem echo "Importing client cert into keystore" keytool -import -alias myalias -keystore Keystore -storepass password -noprompt -file certs/public.pem • RELEVANCY SCORE 3.50 ## DB:3.50:Pki In Java xf i m using pfx certifictae,and loading it in keystore, it loads and give no excpetion bt as i call keystore.aliases() method. it throws uniniitailes keystore my code is KeyStore keyStore=null; try{ keyStore = KeyStore.getInstance(PKCS12_KEYSTORE_TYPE); FileInputStream keyStoreStream = new FileInputStream(aFileName); char[] password = aKeyStorePasswd.toCharArray(); keyStore.load(keyStoreStream, password); System.out.println(aKeyStore.getDefaultType()); System.out.println(aKeyStore.getType()); Enumeration aliasesEnum = aKeyStore.aliases(); the pfx i m taking from applet (user pfx) ## DB:3.50:Pki In Java xf i m using pfx certifictae,and loading it in keystore, it loads and give no excpetion bt as i call keystore.aliases() method. it throws uniniitailes keystore my code is KeyStore keyStore=null; try{ keyStore = KeyStore.getInstance(PKCS12_KEYSTORE_TYPE); FileInputStream keyStoreStream = new FileInputStream(aFileName); char[] password = aKeyStorePasswd.toCharArray(); keyStore.load(keyStoreStream, password); System.out.println(aKeyStore.getDefaultType()); System.out.println(aKeyStore.getType()); Enumeration aliasesEnum = aKeyStore.aliases(); the pfx i m taking from applet (user pfx) • RELEVANCY SCORE 3.49 ## DB:3.49:View Keystore Data mk Hello, would you plz tell me how can i view the keystore file datas. can i view these data using java API. Thanks In Advance ## DB:3.49:View Keystore Data mk thank you ctopfel, i got the solution. would you plz tell me , when i connect to ftp server using client then it gives me an error javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshakecom.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source) com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Unknown Source) com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Unknown Source) com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source) sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(Unknown Source)
sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(Unknown Source) sun.nio.cs.StreamEncoder$CharsetSE.implFlush(Unknown Source)
sun.nio.cs.StreamEncoder.flush(Unknown Source)
java.io.OutputStreamWriter.flush(Unknown Source)
com.ftpserver.FtpWriter.write(FtpWriter.java:192)
Sun Jul 16 15:43:55 IST 2006 :: at com.ftpserver.FtpWriter.send(FtpWriter.java:158)
com.ftpserver.RequestHandler.run(RequestHandler.java:223)
java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
Sun Jul 16 15:43:55 IST 2006 :: ... 13 more
Sun Jul 16 15:43:55 IST 2006 :: Con 2006-07-16 15:46:04,468 -- WARN -- RequestHandler.run()
Sun Jul 16 15:43:55 IST 2006 :: java.lang.NullPointerException
Sun Jul 16 15:43:55 IST 2006 :: at com.ftpserver.RequestHandler.run(RequestHandler.java:226)
Sun Jul 16 15:43:55 IST 2006 :: at java.lang.Thread.run(Unknown Source)

Please help me how can i resolve this problem

Thanks

• RELEVANCY SCORE 3.48

## DB:3.48:Keystore To Cacert In Java fc

Hi,

Please help me with this SSL problem. I am trying to run a small web service application over SSL. Tomcat is the web server.

I have created a self signed certificate using the command
"%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA"
which created a .keystore file for me. I have put that on Tomcat root and my problem is how to put this .keystore into
C:\j2sdk1.4.2_04\jre\lib\security\cacerts file. on the client.

I mean how can you import a .keystore file into a cacert file.

Without the client not having the certificate it gives a 'SSLHandShakeException'

Thanks for your time
Shiran

## DB:3.48:Keystore To Cacert In Java fc

Thanks guys. I got it working. Should have read the jsse documentation for all uses of the keytool utility.

• RELEVANCY SCORE 3.48

## DB:3.48:Can Not Get The Alias Of A Cert From Usb-Key By Sunmscapi And Csp xa

Hi:

I'm using "SunMSCAPI"(jdk1.6.0_12) to access certificate and key in windows certificate store. The certificate and key are registered to windows by a self-defined CSP and a self-defined register program from a USB-key, and they can be accessed by CAPICOM or by cryptoAPI. But the following java program can not access the certificate . The java program below may be right, as it can access the certificate and key registered to windows from a PFX file. While the java program cannot get the "alias" of the USB-key's certificate.

Is there any problem with the self-defined CSP or the self-defined register program, or both? What is wrong? Thanks a lot!

--------------------------------------------------------------------------------------------------------------------------------------------------

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;

public class IECertificateLoader {
private KeyStore keystore = null;

public Provider getKeyStoreProvider() {
return Security.getProvider("SunMSCAPI");
}

public KeyStore load(Object ... params){
KeyStore ieKeyStore = null;
try {
ieKeyStore = KeyStore.getInstance("Windows-My");
ieKeyStore.load(null, null);
} catch (Exception e) {
e.printStackTrace();
}
this.keystore = ieKeyStore;
return ieKeyStore;
}

public ListX509Certificate getCertificates() {
if(keystore == null){
throw new RuntimeException("KeyStore is not initialized.");
}
return getCertificates(keystore);
}

private ListX509Certificate getCertificates(KeyStore keystore){
ListX509Certificate list = new ArrayListX509Certificate();
try {
EnumerationString enu = keystore.aliases();
while(enu.hasMoreElements()){
String alias = enu.nextElement(); // Can not get the alias of the certificate in USB-key !!!
X509Certificate cert = (X509Certificate)keystore.getCertificate(alias);
if(cert != null){
list.add(cert);
}
}
} catch (KeyStoreException e) {
e.printStackTrace();
}
return list;
}

public static void main(String[] args){
IECertificateLoader loader = new IECertificateLoader();
loader.load();
ListX509Certificate certs = loader.getCertificates();
for(X509Certificate xcert:certs){
System.out.println("=="+xcert.getSubjectDN());
}

}
}

## DB:3.48:Can Not Get The Alias Of A Cert From Usb-Key By Sunmscapi And Csp xa

Hi:

I'm using "SunMSCAPI"(jdk1.6.0_12) to access certificate and key in windows certificate store. The certificate and key are registered to windows by a self-defined CSP and a self-defined register program from a USB-key, and they can be accessed by CAPICOM or by cryptoAPI. But the following java program can not access the certificate . The java program below may be right, as it can access the certificate and key registered to windows from a PFX file. While the java program cannot get the "alias" of the USB-key's certificate.

Is there any problem with the self-defined CSP or the self-defined register program, or both? What is wrong? Thanks a lot!

--------------------------------------------------------------------------------------------------------------------------------------------------

import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;

public class IECertificateLoader {
private KeyStore keystore = null;

public Provider getKeyStoreProvider() {
return Security.getProvider("SunMSCAPI");
}

public KeyStore load(Object ... params){
KeyStore ieKeyStore = null;
try {
ieKeyStore = KeyStore.getInstance("Windows-My");
ieKeyStore.load(null, null);
} catch (Exception e) {
e.printStackTrace();
}
this.keystore = ieKeyStore;
return ieKeyStore;
}

public ListX509Certificate getCertificates() {
if(keystore == null){
throw new RuntimeException("KeyStore is not initialized.");
}
return getCertificates(keystore);
}

private ListX509Certificate getCertificates(KeyStore keystore){
ListX509Certificate list = new ArrayListX509Certificate();
try {
EnumerationString enu = keystore.aliases();
while(enu.hasMoreElements()){
String alias = enu.nextElement(); // Can not get the alias of the certificate in USB-key !!!
X509Certificate cert = (X509Certificate)keystore.getCertificate(alias);
if(cert != null){
list.add(cert);
}
}
} catch (KeyStoreException e) {
e.printStackTrace();
}
return list;
}

public static void main(String[] args){
IECertificateLoader loader = new IECertificateLoader();
loader.load();
ListX509Certificate certs = loader.getCertificates();
for(X509Certificate xcert:certs){
System.out.println("=="+xcert.getSubjectDN());
}

}
}

• RELEVANCY SCORE 3.48

## DB:3.48:Signing Jar Problem 8k

Dear Experts,We used to create trusted jars with a keystore using JDK1.6.0, by using the following steps,Step 1 : Create a folder named 'certificates' on the below path "C:\Program Files\Java\jdk1.6.0"Step 2 : keytool -genkey -dname "cn=Mycompany,ou=Mycompany,o=OracleCorp,c=US" -alias myidentity -keypass myidentity -keystore C:\Program Files\Java\jdk1.6.0\certificates\keystore -storepass myidentity -validity 365Step 3 : Now, I can see a file named 'keystore' inside the 'certificates' folderYes. It works fine in jdk1.6.0, now I am going to update my jdk1.6.0. to jdk1.7.0_45Now, I can't suceed the above Step 2 in jdk1.7.0_45, Am I missing out something? or else some changes held in 1.7? Please guide me.

## DB:3.48:Signing Jar Problem 8k

Dear Experts,We used to create trusted jars with a keystore using JDK1.6.0, by using the following steps,Step 1 : Create a folder named 'certificates' on the below path "C:\Program Files\Java\jdk1.6.0"Step 2 : keytool -genkey -dname "cn=Mycompany,ou=Mycompany,o=OracleCorp,c=US" -alias myidentity -keypass myidentity -keystore C:\Program Files\Java\jdk1.6.0\certificates\keystore -storepass myidentity -validity 365Step 3 : Now, I can see a file named 'keystore' inside the 'certificates' folderYes. It works fine in jdk1.6.0, now I am going to update my jdk1.6.0. to jdk1.7.0_45Now, I can't suceed the above Step 2 in jdk1.7.0_45, Am I missing out something? or else some changes held in 1.7? Please guide me.

• RELEVANCY SCORE 3.47

## DB:3.47:Access The J2ee Engine Keystore ks

hi SDN,

I am trying to access the J2EE Engine Keystore with the following set of codes

KeyStore keyStore=null;

InitialContext ctx = new InitialContext();
Object obj = (Object) ctx.lookup("keystore");
KeystoreManager manager = (KeystoreManager) obj;
keyStore = manager.getKeystore("DEFAULT");
String alias = "verify_test";
SsfProfileKeyStore profile = new SsfProfileKeyStore(keyStore, alias, null);
String SubjectDN = profile.getCertificate().getSubjectDN().getName();
response.write("SubjectDN"+SubjectDN);

## DB:3.47:Access The J2ee Engine Keystore ks

Dear All,

Resolved when I used the following

KeystoreManagerWrapper_Stub manager = (KeystoreManagerWrapper_Stub) ctx.lookup("keystore");

• RELEVANCY SCORE 3.46

## DB:3.46:Keystore/ Certificates Stored By The Jre Runtime f8

Hi!

I use this code

...
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream("test.p12", "password".toCharArray());
...

to load a certificate for signing a PDF with the help of iText. The code works fine.

The same certificate was imported via Java Control Panel (Tab Certificates) into the JRE/System.

Can I access the certificates stored in the JRE/System for signing, instead of loading the certificate directly?

The Java API for Keystore says:
...
Before a keystore can be accessed, it must be LOADED.
...
and LOADED ist linked to the method ks.load()

There is not hint for accessing the JRE certificates.

Peter

## DB:3.46:Keystore/ Certificates Stored By The Jre Runtime f8

Hi!

I use this code

...
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream("test.p12", "password".toCharArray());
...

to load a certificate for signing a PDF with the help of iText. The code works fine.

The same certificate was imported via Java Control Panel (Tab Certificates) into the JRE/System.

Can I access the certificates stored in the JRE/System for signing, instead of loading the certificate directly?

The Java API for Keystore says:
...
Before a keystore can be accessed, it must be LOADED.
...
and LOADED ist linked to the method ks.load()

There is not hint for accessing the JRE certificates.

Peter

• RELEVANCY SCORE 3.40

## DB:3.40:Problem With Ssl In Ridc 3j

Hi,
I find the following sample code from http://docs.oracle.com/cd/E23943_01/doc.1111/e10807/c23_ridc.htm#BJFIHEHI

Example 23-6 IDC Protocol over SSL

// build a secure IDC client as cast to specific type
IntradocClient idcClient = (IntradocClient)
manager.createClient("idcs://localhost:4443");

// set the SSL socket options
config.setKeystoreFile("ketstore/client_keystore"); //location of keystore file
config.setKeystorePassword ("password"); // keystore password
config.setKeystoreAlias("SecureClient"); //keystore alias
config.setKeystoreAliasPassword("password"); //password for keystore alias

From where this config object came?

I tried with but there is no such method

IdcClientConfig config = idcClient.getConfig();
config.setKeystoreFile("ketstore/client_keystore"); // no such method

any help is appreciated.

Thanks a lot in advance.

## DB:3.40:Problem With Ssl In Ridc 3j

Hi,
I find the following sample code from http://docs.oracle.com/cd/E23943_01/doc.1111/e10807/c23_ridc.htm#BJFIHEHI

Example 23-6 IDC Protocol over SSL

// build a secure IDC client as cast to specific type
IntradocClient idcClient = (IntradocClient)
manager.createClient("idcs://localhost:4443");

// set the SSL socket options
config.setKeystoreFile("ketstore/client_keystore"); //location of keystore file
config.setKeystorePassword ("password"); // keystore password
config.setKeystoreAlias("SecureClient"); //keystore alias
config.setKeystoreAliasPassword("password"); //password for keystore alias

From where this config object came?

I tried with but there is no such method

IdcClientConfig config = idcClient.getConfig();
config.setKeystoreFile("ketstore/client_keystore"); // no such method

any help is appreciated.

Thanks a lot in advance.

• RELEVANCY SCORE 3.40

## DB:3.40:Problem With Java Card 3_0_1 Connected And Loading Classic-Applet 7x

Hello All!

I'm trying to use cjcre.exe simulator that comes with new Java Card Dev Kit
1) I'm compiling my java files:
javacardc.bat -cp ../lib/api_connected.jar @1.lst

2) Convert to cap file:
converter.bat -out CAP
-exportpath "../api_export_files" -applet 0xa0:0x1:0x9:0x7:0x7:0x0:0x1:0x2:0x6:0x0:0x02
ka.applet.card.CardApplet ka.applet.card 0xa0:0x1:0x9:0x7:0x7:0x0:0x1:0x2:0x6:0x0:0x01 1.0

3) Normalize it:
normalizer.bat normalize in ka\applet\card\javacard\card.cap exportpath ../api_export_files --out normalized

4) Package it:
4.1) Create keystore and key with keytool (http://java.sun.com/javase/6/docs/technotes/tools/solaris/keytool.html)
4.2) Package:
packager.bat create exportpath ../api_export_files type classic-applet
sign keystore ./keystore/card.jks storepass testpass passkey testpass --alias myKey
--out card301cn.cap normalized\ka\applet\card\javacard\card.cap

5) TRY TO LOAD it INTO cjcre.exe
5.1) start cjcre.exe: cjcre.exe -loggerlevel info -e2pfile my_card.eeprom
5.2) installer.bat load -c http://localhost:8019/cardmanager -t classic-applet -n wallet -s card301cn.signature card301cn.cap

AND I get message form installer.bat "Supplied certificate not trusted" !!!

What I can do in this situation? (I try to package without --sign, but installer.bat + load prompt that -s option is missing).

6) Because step 5 failed creation of applet also failed:
installer.bat create -c http://localhost:8019/cardmanager -a wallet -n wallet -i /MyWallet
I have got a message "Attempt to create an instance, but its belonging module was not loaded yet" !!!

Any help VERY appreciated!

## DB:3.40:Problem With Java Card 3_0_1 Connected And Loading Classic-Applet 7x

So I done it.

I was stupid. Right way how to build and install your applet:
go to samples folder, select project that looks like your, copy it, replace *.java with yours, correct build-impl.xml and some other files if needed, run ant like that:

set JAVA_HOME=D:\JDK\j2sdk1.6_16
set PATH = ANT_HOME\bin;%PATH%
D:\ANT\bin\ant.bat run

everything goes right - applet builded, converted, packed, loaded create into simulator eeprom

than run cjcre.exe -resume -e2pfile cjcre.eeprom
and connect from your host app

• RELEVANCY SCORE 3.39

## DB:3.39:Nosuchalgorithmexception Problem With Default Provider 8m

I am using keytool to import a PEM certificate file from another machine using :

keytool -import -trustcacerts -alias tom -storepass tom -file tom.pem -keystore tom.keystore

doing this the provider is "SUN" and the keystore type is "jks".

Now when loading the trustmanager, it complains about :

java.security.NoSuchAlgorithmException: no such algorithm: SunX509 for provider SUN

Then I try to import to the SunJSSE provider which seems to accept SunX509.

keytool -import -trustcacerts -alias tom -storepass tom -file tom.pem -keystore tom.keystore -providerName SunJSSE

This causes a keystoreexception "jks not found".

The question is, why does the default SUN provider not accept x509 algorithm? more specifically, the "SunX509" algorithm?

Thanks for help.

here is the outut of provider.getinfo()

Provider = SUN version 1.5 info = SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore;

Provider = SunJSSE version 1.5 info = Sun JSSE provider(PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)

## DB:3.39:Nosuchalgorithmexception Problem With Default Provider 8m

I am using keytool to import a PEM certificate file from another machine using :

keytool -import -trustcacerts -alias tom -storepass tom -file tom.pem -keystore tom.keystore

doing this the provider is "SUN" and the keystore type is "jks".

Now when loading the trustmanager, it complains about :

java.security.NoSuchAlgorithmException: no such algorithm: SunX509 for provider SUN

Then I try to import to the SunJSSE provider which seems to accept SunX509.

keytool -import -trustcacerts -alias tom -storepass tom -file tom.pem -keystore tom.keystore -providerName SunJSSE

This causes a keystoreexception "jks not found".

The question is, why does the default SUN provider not accept x509 algorithm? more specifically, the "SunX509" algorithm?

Thanks for help.

here is the outut of provider.getinfo()

Provider = SUN version 1.5 info = SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore;

Provider = SunJSSE version 1.5 info = Sun JSSE provider(PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)

• RELEVANCY SCORE 3.39

## DB:3.39:Key Or Byte[] From Pem m1

Does anyone have an idea, how to import a signed pem into keystore inside a class not using keytool?

Keystore's method setKeyEntry needs Key as input or byte[], so how can get it from that pem, any ideas?

Keytool command is as following:
keytool -keystore keystore file -alias alias name -import -rfc -file somekindof.pem

## DB:3.39:Key Or Byte[] From Pem m1

ok, i already figured it out by myself. I didn't actually understood the process dealing with keytool.
1. Generate self-signed keyEntry
2. Export csr and let it be signed
3. import cacert.pem
4. import signed cert with the same alias as the self-signed keyEntry.

My problem was that i imported the cert with setCertificate though should have imported with setKeyEntry, and the Key was given from keystore with getKey.

Now it seems much more clear to me :)

• RELEVANCY SCORE 3.38

## DB:3.38:Regarding Keystore File pz

Hi,
I have created private keystore using keytool and created a certificate and imported that ceritificate to publickeystore. I can successfully verify the data signed by privatekeystore. These keystore are JKS.

I need PKCS12 keystore type. So I created that type of keystore using keytool. I imported the PKCS12 certificate into JKS publickeystore. But i could not verify the data which is being signed by privatekeystore(PKCS12).

Any help

Thanks

## DB:3.38:Regarding Keystore File pz

Hi,
I have created private keystore using keytool and created a certificate and imported that ceritificate to publickeystore. I can successfully verify the data signed by privatekeystore. These keystore are JKS.

I need PKCS12 keystore type. So I created that type of keystore using keytool. I imported the PKCS12 certificate into JKS publickeystore. But i could not verify the data which is being signed by privatekeystore(PKCS12).

Any help

Thanks

• RELEVANCY SCORE 3.38

## DB:3.38:Trying To Enable Https But Facing Issues xj

Hi,I am trying to enable SSL on my WebLogic server but getting issues.Here is what I've done so far:Created custom keystore: keytool -genkeypair -keyalg RSA -dname "cn=weblogic" -alias webcenter_portal -keypass welcome1 -keystore webcenter_portal.jks -storepass changeit -validity 720Created certificate for keystore: keytool -exportcert -v -alias webcenter_portal -keystore webcenter_portal.jks -storepass changeit -rfc -file webcenter_portal.cer Imported this certificate into cacerts (JRE's trust store): keytool -import -noprompt -trustcacerts -alias webcenter_portal -file C:/Oracle/Middleware/jdk160_24/bin/webcenter_portal.cer -keystore C:/Oracle/Middleware/jdk160_24/jre/lib/security/cacerts -storepass changeitAfter this, on admin console, selected my server:Keystores tab selected Custom Identity and Java Standard Trust specified keystore details SaveSSL tab specified keystore details. One important setting I did is 'None' in Hostname Verification.General tab enable SSL.After all this configuration, I bounced my server.However HTTPS is not working, Can anyone please guide/help where to look for problems?Thanks.

## DB:3.38:Trying To Enable Https But Facing Issues xj

Try the steps in this linkhttp://weblogic-wonders.com/weblogic/2013/09/10/configuring-ssl-weblogic-server-using-wlst-scripting/

• RELEVANCY SCORE 3.38

## DB:3.38:Re: Importing Microsoft Private Key And Certificates Into A Java Keystore xx

Interesting. Can you tell me your key classes instances from key.getClass().getName() ?

## DB:3.38:Re: Importing Microsoft Private Key And Certificates Into A Java Keystore xx

Dear Ezavalla,

I am new on java.security.
I have a problem in importing Microsoft private key and certificate.
I will be very happy if you can help me. The problem is very urgent for me.

I have installed a CA on a Win2K Server. I would like to develop a program which digitally signs the documents (and verifies) with using this certificate.

The questions are :

1. I firstly export my certificate file from server to my client machine. (c:\mycert.cer)

I have imported this certificate as trusted, by command
"keytool -import -v -trustcacerts -alias win -file c:\mycert.cer -keypass 123456 -storepass 123456"
(After the command, I have a .keystore file under c:\documents and settings\myUser)

Is this true?

If the answer is yes, do I have to export the personal .cer files from server to all client machines who wants to use this digital sign application?

If the answer is no, then could you please tell me the correct one?

2. How will I get my private key to sign the documents?

My code is here:

String alias = "win"; //This has been given in keytool command.
String spass = "123456"; //This has been given in keytool command.
char[] passwd = spass.toCharArray();
String ksName = "C:/Documents and Settings/myUser/.keystore";
KeyStore ks = KeyStore.getInstance("JKS"); //I don't know if this is right or not?
FileInputStream ksfis = new FileInputStream(ksName);
BufferedInputStream ksbufin = new BufferedInputStream(ksfis);
ks.load(ksbufin, passwd);
java.security.cert.Certificate cert = ks.getCertificate(alias);

// PrivateKey priv = (PrivateKey) ks.getKey(alias, I_DON'T_KNOW_WHAT_SHOULD_I USE_HERE);

//if I can get the private key, I will continue to execute the source below. Is this right?
/*
Signature dsa = Signature.getInstance("SHA1withDSA", "SUN");
dsa.initSign(priv);
FileInputStream fis = new FileInputStream(files[2]);
BufferedInputStream bufin = new BufferedInputStream(fis);
byte[] buffer = new byte[1024];
int len;
while (bufin.available() != 0) {
len = bufin.read(buffer);
dsa.update(buffer, 0, len);
};
bufin.close();
byte[] realSig = dsa.sign();
*/

Thank you very much for your great helps.
Regards

• RELEVANCY SCORE 3.38

## DB:3.38:Using Ssl Keystores Inside Jars pa

Hi
I have a problem with using SSL keystores. I am writing an application upgrading jira account using web services. This application is secured by SSL. I'v writen a class which has to be used by other code. I would like to hide the server SSL keystore inside jar file with execution code which need this file. The code i am using for setting keystore is:
URL skeystore = this.getClass().getResource("/jira_keystore");
System.out.println("keystore = " + keystore);
System.setProperty("javax.net.ssl.trustStore", keystore);That works fine if it is running as ordinary java application. But when i pack it into java and use it from third-part code it doesn't work. I'm getting an error

Exception in thread "main" pl.psnc.core.SynchronizationException: ; nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at pl.psnc.core.Synchronizer.synchronize(Synchronizer.java:243)
at MainClass.main(MainClass.java:24)

It looks like there is problem with getting keystore file from jar, or cannot pass a jar file as system properthybecause if I pass a keystore path as an parameter its also works fine. Paths to keystore in every try are correct. Unfortunatelly I cannot pass a keystore as an params. It must be readed from jar file.
Thanks for any help.

## DB:3.38:Using Ssl Keystores Inside Jars pa

Hi
I have a problem with using SSL keystores. I am writing an application upgrading jira account using web services. This application is secured by SSL. I'v writen a class which has to be used by other code. I would like to hide the server SSL keystore inside jar file with execution code which need this file. The code i am using for setting keystore is:
URL skeystore = this.getClass().getResource("/jira_keystore");
System.out.println("keystore = " + keystore);
System.setProperty("javax.net.ssl.trustStore", keystore);That works fine if it is running as ordinary java application. But when i pack it into java and use it from third-part code it doesn't work. I'm getting an error

Exception in thread "main" pl.psnc.core.SynchronizationException: ; nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at pl.psnc.core.Synchronizer.synchronize(Synchronizer.java:243)
at MainClass.main(MainClass.java:24)

It looks like there is problem with getting keystore file from jar, or cannot pass a jar file as system properthybecause if I pass a keystore path as an parameter its also works fine. Paths to keystore in every try are correct. Unfortunatelly I cannot pass a keystore as an params. It must be readed from jar file.
Thanks for any help.

• RELEVANCY SCORE 3.37

## DB:3.37:"Invalid Der-Encoded Certificate Data" While Loading Keystore cx

Hello,

Using JDK 1.6.0_20 on WinXP, I am attempting to create a KeyStore object containing a single trusted certificate, but keep running into the following error when running the program:

java.security.cert.CertificateParsingException: invalid DER-encoded certificate data

I have tested several different root certificates (e.g. Verisign Class 3) to populate the keystore, and both keytool and OpenSSL seem to recognize them as DER-encoded and handle them fine. Keytool importcert and verbose list commands work fine, as does an OpenSSL list (openssl x509 -text -noout -inform DER -in certificate.cer).

I originally was using the sample code from the KeyStore API almost verbatim to attempt to load the KeyStore contents from a keystore file, just replacing a couple of placeholder items with command-line args:

try
{
// Create/load the keystore to use in the PKIXParameters
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

// get user password and file input stream
char[] password = args[1].toCharArray();

FileInputStream fis = null;
try {
fis = new FileInputStream(args[0]);
ks.load(fis, password); }
finally {
if (fis != null) {
fis.close();
}
}I also tested loading an empty keystore and then adding the certificate within the code:

try
{
CertificateFactory cf = CertificateFactory.getInstance("X.509");

// Create/load the keystore to use in the PKIXParameters
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

// get user password and file input stream
char[] password = args[1].toCharArray();

FileInputStream fis = null;
try {
ks.load(fis, password);

FileInputStream trustedCertStream = new FileInputStream(args[0]);
X509Certificate trustedCert = (X509Certificate) cf.generateCertificate(trustedCertStream);

ks.setCertificateEntry("trustroot",trustedCert);
}
finally {
if (fis != null) {
fis.close();
}
}Both code blocks give me that same "invalid DER-encoded certificate data" error.

If I just load a null FileInputStream, the code continues along fine until the point where you'd expect it to fail (when it's looking for trust anchors in the keystore and there are none).

To rule out issues with the command-line args being passed in, I tested passing a bogus keystore file (
yielding a FileNotFound error as expected), a straight X.509 cert to the code expecting a keystore file (got an IOException - Invalid keystore format - as expected), and an incorrect password (There was an error parsing the truststore file: java.io.IOException: Keystore was tampered with, or password was incorrect - as expected).

Any ideas what could be causing this error and/or how to fix it?

Thanks,

Julia

## DB:3.37:"Invalid Der-Encoded Certificate Data" While Loading Keystore cx

Hi,

This is an old thread from the Sun forums so the OP will not reply to this.

I am not sure what library that class comes from, but there are many Base64 implementations out the (BouncyCastle, MiGBase64 etc) that you can use to achieve the same result.

Cheers,
Shane

• RELEVANCY SCORE 3.37

## DB:3.37:Error Loading A Keystore kf

Hi,

I get this error if i try to load the boncy castle keystore using a FileInputStream
java.io.EOFException
at java.io.DataInputStream.readFully(DataInputStream.java:180)
at java.io.DataInputStream.readUTF(DataInputStream.java:592)
at java.io.DataInputStream.readUTF(DataInputStream.java:547)
at org.bouncycastle.jce.provider.JDKKeyStore.loadStore(Unknown Source)
at org.bouncycastle.jce.provider.JDKKeyStore$BouncyCastleStore.engineLoad(Unknown Source)Maybe a code problem? I can store the keystore with a file output stream without problems ... regards, Olek ## DB:3.37:Error Loading A Keystore kf Hi, You are right... ;) Too bad, that I can't send you a Burgundy ;) thanks. Olek • RELEVANCY SCORE 3.35 ## DB:3.35:Verisign Midlet Signing Problem 8s hello friends, I have a certificate from verisign. verisign provided a *"keystore.jks"* file . Error on Emulator : installation failed critical infomation missing from jad file.Error on Phone: Invalid Application (No more Details)I sign the midlet as following : *1.* I signed the jar Jarsigner -keystore keyStore.jks app.jar alias *2.* I added the certificate of the key pair from the given keystore to the JAD file Java -jar JadTool.jar -addcert -keystore keystorename -alias aliasname -storepass password -inputjad input_jadfile -outputjad output_jadfile *3.* add the digital signature of the JAR file to the specified JAD file. The default value for -jarfile is the MIDlet-Jar-URL property in the JAD file. java -jar jadtool.jar -addjarsig -jarfile jar_file -keystore keystorename -alias aliasname -storepass password -keypass password -inputjad input_jadfile -outputjad output_jadfile ## DB:3.35:Verisign Midlet Signing Problem 8s hello friends, I have a certificate from verisign. verisign provided a *"keystore.jks"* file . Error on Emulator : installation failed critical infomation missing from jad file.Error on Phone: Invalid Application (No more Details)I sign the midlet as following : *1.* I signed the jar Jarsigner -keystore keyStore.jks app.jar alias *2.* I added the certificate of the key pair from the given keystore to the JAD file Java -jar JadTool.jar -addcert -keystore keystorename -alias aliasname -storepass password -inputjad input_jadfile -outputjad output_jadfile *3.* add the digital signature of the JAR file to the specified JAD file. The default value for -jarfile is the MIDlet-Jar-URL property in the JAD file. java -jar jadtool.jar -addjarsig -jarfile jar_file -keystore keystorename -alias aliasname -storepass password -keypass password -inputjad input_jadfile -outputjad output_jadfile • RELEVANCY SCORE 3.34 ## DB:3.34:Issue In Free Ssl Cert Installation On Weblogic Using Keytool And Keystore ak We are facing problem in free ssl certificate configuration on Weblogic using keytool and Keystore Link which we used to follow below mentioned steps:- http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secmanage/ssl.html#1167001 http://download.oracle.com/docs/cd/E13222_01/wls/docs81/plugins/nsapi.html#112674 Steps: 1) To generate keystore and private key and digital cerficate:- keytool -genkey -alias mykey2 -keyalg RSA -keystore webconkeystore.jks -storepass webconkeystorepassword 2) To generate CSR keytool -certreq -alias mykey2 -file webconcsr1.csr -keyalg RSA -storetype jks -keystore webconkeystore.jks -storepass webconkeystorepassword 3) CSR is uploaded on verisign site to generate free ssl certificate.All certificate text received is paste into file (cacert.pem) 4) Same certificate is put into same keystore using following command keytool -import -alias mykey2 -keystore webconkeystore.jks -trustcacerts -file cacert.pem 5) Before step 4), we have also installed root /intermediate certificate to include chain using following command. (intermediateCa.cer file is downloaded from verisign site) keytool -import -alias intermediateca -keystore webconkeystore.jks -trustcacerts -file intermediateCa.cer 6) After this configuration we used weblogic admin module to configure Keystore and SSL. 7) For KeyStore tab in weblogic admin module, we have select option Custom Identity And Custom Trust provided following details under Identity and Trust columns:- Private key alias: mykey2 PassKeyphrase: webconkeystorepassword Location of keystore: location of webconkeystore.jks file on server 8) For SSL tab in weblogic admin module, we have select option KeyStores for Identity and Trust locations. 9) After this we have restarted the server, but it is giving following error on console as shown below: After installation I had checked using "keytool -list -alias mykey2 ..." command ..and certificate were installed.. Notice WebLogicServer BEA-000365 Server state changed to ADMIN Notice WebLogicServer BEA-000365 Server state changed to RESUMING Notice Security BEA-090171 Loading the identity certificate and private key stored under the alias privateKey from the JKS keystore file /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks. Alert Security BEA-090716 Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer Error WebLogicServer BEA-000297 Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer Emergency Security BEA-090034 Not listening for SSL, java.io.IOException: Failed to retrieve identity key/certificate from keystore /home/cedera/bea9.0/weblogic90/server/lib/webconkeystore1.jks under alias privateKey on server AdminServer. Emergency Security BEA-090087 Server failed to bind to the configured Admin port. The port may already be used by another process. Please let me know if I am missing anything Please help me to checkout and resolve this issue. Edited by: user1685139 on Nov 3, 2009 10:10 PM ## DB:3.34:Issue In Free Ssl Cert Installation On Weblogic Using Keytool And Keystore ak Yes you can get the free SSL certificates from verisign for a trail period of 14 days. http://www.verisign.com/ssl/ you can click on the free trial on this page and and can receive the free trail certificate from verisign. thanks, Sandeep • RELEVANCY SCORE 3.33 ## DB:3.33:Re: How To Export Private Key File From Jks Keystore With J2se1.4.2 Keytool? p7 I mean I generated a key pair and a keystore by using java keytool then I exported a certificate file with keytool . My problem is that I want to export a private key from this keystore with keytool, but I didn't find how to make it. Who will be very kind to give some hint for me? Thank you very much. ## DB:3.33:Re: How To Export Private Key File From Jks Keystore With J2se1.4.2 Keytool? p7 Download a FREE implementation of a command-prompt executable Java Key Store. http://www.mailthru.com/jkskeyexporter Hi all. I packaged an existing solution up with a relatively easy to use set of instructions on how to perform a JKS Private Key export. I have included source (which was inspired from someone's source I found online), and packaged it as an easy-to-execute file. I also provided instructions that should allow SA's to perform this task as well (not just Java programmers). However, I included my Eclipse Project Java Source in case you guys want it. Let me know if you like it! Thanks, clhelper@mailthru.com • RELEVANCY SCORE 3.33 ## DB:3.33:Store Keystore To Connected Smart Card px Hi, I wanna ask that what we can do aftter that // I have a certificate file that conforms to pkcs12 standart. I get this file with these two commands from file system. KeyStore keyStore = KeyStore.getInstance("PKCS12"); keyStore.load(new java.io.FileInputStream(pkcs12File), keyPassword); // Now I wanna store this KeyStore object to smart card as certificate file. But I do not know if this is possible or not..... ## DB:3.33:Store Keystore To Connected Smart Card px Hi, I wanna ask that what we can do aftter that // I have a certificate file that conforms to pkcs12 standart. I get this file with these two commands from file system. KeyStore keyStore = KeyStore.getInstance("PKCS12"); keyStore.load(new java.io.FileInputStream(pkcs12File), keyPassword); // Now I wanna store this KeyStore object to smart card as certificate file. But I do not know if this is possible or not..... • RELEVANCY SCORE 3.32 ## DB:3.32:Jws 1.4.2 Keystore Password xp Hello, I try import my root certificate into "cacerts" file. With "Java Web Start - Preference" dialog, import is performed successful even if i do not know keystore password (leave blank). But the following command line keytool.exe -import -file eValidateAndSign.cer -keystore cacerts give me an error: keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect Thank you for your help. Matic My environment: - Windows 2000 - Java Web Start 1.4.2-beta ## DB:3.32:Jws 1.4.2 Keystore Password xp Hi again, I should point out that I'm not using Java Web Start though - I'm using the JVM plug-in for I.E. Don't know if that makes a difference.... Thanks, Simon • RELEVANCY SCORE 3.32 ## DB:3.32:Keytool Error: Java.Security.Cert.Certificateparsingexception: Java.Io.Ioexception c9 Dear All, I am trying to import the certificate after importing the chained certificated successfully. Below is the keytool command used for importing the certificate keytool -import -alias tomcat -keystore keystore name -file certificate file And after entering the password, getting the following error: keytool error: java.security.cert.CertificateParsingException: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49) Env details: - java version "1.7.0_51" - Windows 7 Please help. ## DB:3.32:Keytool Error: Java.Security.Cert.Certificateparsingexception: Java.Io.Ioexception c9 Dear All, I am trying to import the certificate after importing the chained certificated successfully. Below is the keytool command used for importing the certificate keytool -import -alias tomcat -keystore keystore name -file certificate file And after entering the password, getting the following error: keytool error: java.security.cert.CertificateParsingException: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49) Env details: - java version "1.7.0_51" - Windows 7 Please help. • RELEVANCY SCORE 3.31 ## DB:3.31:Can Not Get The Alias Of A Cert From Usb-Key By Sunmscapi And Csp 1c Hi: I'm using "SunMSCAPI"(jdk1.6.0_12) to access certificate and key in windows certificate store. The certificate and key are registered to windows by a self-defined CSP and a self-defined register program from a USB-key, and they can be accessed by CAPICOM or by cryptoAPI. But the following java program can not access the certificate . The java program below may be right, as it can access the certificate and key registered to windows from a PFX file. While the java program cannot get the "alias" of the USB-key's certificate. Is there any problem with the self-defined CSP or the self-defined register program, or both? What is wrong? Thanks a lot! ------------------------------------------------------------------------------------------------------------------------------------------------ import java.security.KeyStore; import java.security.KeyStoreException; import java.security.Provider; import java.security.Security; import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Enumeration; import java.util.List; public class IECertificateLoader { private KeyStore keystore = null; public Provider getKeyStoreProvider() { return Security.getProvider("SunMSCAPI"); } public KeyStore load(Object ... params){ KeyStore ieKeyStore = null; try { ieKeyStore = KeyStore.getInstance("Windows-My"); ieKeyStore.load(null, null); } catch (Exception e) { e.printStackTrace(); } this.keystore = ieKeyStore; return ieKeyStore; } public ListX509Certificate getCertificates() { if(keystore == null){ throw new RuntimeException("KeyStore is not initialized."); } return getCertificates(keystore); } private ListX509Certificate getCertificates(KeyStore keystore){ ListX509Certificate list = new ArrayListX509Certificate(); try { EnumerationString enu = keystore.aliases(); while(enu.hasMoreElements()){ String alias = enu.nextElement(); // Can not get the alias of the certificate in USB-key !!! X509Certificate cert = (X509Certificate)keystore.getCertificate(alias); if(cert != null){ list.add(cert); } } } catch (KeyStoreException e) { e.printStackTrace(); } return list; } public static void main(String[] args){ IECertificateLoader loader = new IECertificateLoader(); loader.load(); ListX509Certificate certs = loader.getCertificates(); for(X509Certificate xcert:certs){ System.out.println("=="+xcert.getSubjectDN()); } } } ## DB:3.31:Can Not Get The Alias Of A Cert From Usb-Key By Sunmscapi And Csp 1c Registered by the self-defined registertool, the USB-key's cert exists in IE browser's "Personal" certs field, where you can open the cert. I'am not sure whether this is the proof of "in the Windows keystore"? Thanks! • RELEVANCY SCORE 3.30 ## DB:3.30:Can Not Get Windows Intermediate Certificates j1 Hi, I would like to get list of certificates stored in windows keystore as "Intermediate Certification Authorities". I tried this: KeyStore ks = KeyStore.getInstance("Windows-MY"); ks.load(null, null);but the keystore is empty. When I try to get "Trusted Root Certification Authorities", i.e. I do this: KeyStore ks = KeyStore.getInstance("Windows-ROOT"); ks.load(null, null);then the keystore is succesfully loaded and i can enumerate certificates( Trusted Root certs only..). I googled that "When a security manager is installed, the following call requires SecurityPermission "authProvider.SunMSCAPI"." So I added this row into the java.policy file: permission java.security.SecurityPermission "authProvider.SunMSCAPI"but still I am not able to load them. I guess that I miss something very basic, because I cannot google anything about this problem, do you have any idea? ## DB:3.30:Can Not Get Windows Intermediate Certificates j1 OK, I see.. In such case I do not understand why there is storage for intermediate certificates at all...?I don't know. • RELEVANCY SCORE 3.29 ## DB:3.29:Generating Unextractable Keys + Sunpkcs11 7z I'm trying to generate into SCA 6000's keystore unextractable keys. Proplem using Java's keytool is that they are extractable and thus does not provide enough security even though they are located in the Hardware's keystore. I currently use keytool like this: keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /root/java_code/pkcs11.cfg -genkeypair -keyalg RSA -alias testwhile accessing keystore from java code, it really shows that generated private key is extractable and not secure enough for my purpose (while I print after initializing Provider and loading Keystore with PIN): PrivateKey privateKey = (PrivateKey) keyStore.getKey("test", null); System.out.println("Private key: " + privateKey);I get: Private key: SunPKCS11-SCA6000 RSA private key, 1024 bits (id 3, token object, not sensitive, extractable) +....and the sensitive private key information is printed+ Any suggestions how to make it work as wanted? Thank you. ## DB:3.29:Generating Unextractable Keys + Sunpkcs11 7z I'm trying to generate into SCA 6000's keystore unextractable keys. Proplem using Java's keytool is that they are extractable and thus does not provide enough security even though they are located in the Hardware's keystore. I currently use keytool like this: keytool -keystore NONE -storetype PKCS11 -providerClass sun.security.pkcs11.SunPKCS11 -providerArg /root/java_code/pkcs11.cfg -genkeypair -keyalg RSA -alias testwhile accessing keystore from java code, it really shows that generated private key is extractable and not secure enough for my purpose (while I print after initializing Provider and loading Keystore with PIN): PrivateKey privateKey = (PrivateKey) keyStore.getKey("test", null); System.out.println("Private key: " + privateKey);I get: Private key: SunPKCS11-SCA6000 RSA private key, 1024 bits (id 3, token object, not sensitive, extractable) +....and the sensitive private key information is printed+ Any suggestions how to make it work as wanted? Thank you. • RELEVANCY SCORE 3.28 ## DB:3.28:Creating A Keystore Only For Runtime d7 Hello, I want to create a keystore that's not stored on my harddisk, it shall only exists as object for my program. Therefor I read two certificates from disk and imported them into a new created keystore object. That works fine. I can store this keystore on the disk but that's not what I want. But if I set the system properties concerning my keystore and my truststore do I need a file or can I say use this object or my class implementing this or this interface? Regards, Schlunz ## DB:3.28:Creating A Keystore Only For Runtime d7 HI.. am facing a strange problem. when I load a truststore and then the truststore file is changed to add new certificates it's not reflected in the program and it throws exception of unknown certificate even though the truststore file contains the certificate.. How to do that. • RELEVANCY SCORE 3.27 ## DB:3.27:Keytool Error kz Hi, I am trying to import a certificate reply into the key entry of my keystore. As you can see, I'm doing this all from the command prompt. I've copied the list of commands so that you know the steps I have taken. C:\j2sdk1.4.2_04keytool -genkey -alias ftpapplet -keypass photoshop1 -keystore keystore -storepass photoshop1 What is your first and last name? [Unknown]: My Name What is the name of your organizational unit? [Unknown]: My Department What is the name of your organization? [Unknown]: ThisCompany What is the name of your City or Locality? [Unknown]: ThisCity What is the name of your State or Province? [Unknown]: SC What is the two-letter country code for this unit? [Unknown]: US Is CN=My Name, OU=My Department, O=ThisCompany, L=ThisCity, ST=SC, C=US correct? [no]: yes C:\j2sdk1.4.2_04keytool -certreq -alias ftpapplet -keypass ****** -keystore keystore -storepass ****** -file ftpappletrequest.cer ******************************************************************************** Basically, here is what the certificate request that was generated looks like: -----BEGIN NEW CERTIFICATE REQUEST----- MIICbDCCAioCAQAwZzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlNDMQ8wDQYDVQQHEwZDb253YXkx DDAKBgNVBAoTA0hUQzEVMBMGA1UECxMMV2ViIFNlcnZpY2VzMRUwEwYDVQQDEwxIVEMgRW1wbG95 ZWUwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEA/X9TgR11EilS30qcLuzk5/YRt1I870QAwx4/gLZR -----END NEW CERTIFICATE REQUEST----- ******************************************************************************** C:\j2sdk1.4.2_04keytool -list -alias cakey -keystore c:\j2sdk1.4.2_04\jre\lib\s ecurity\cacerts -storepass ****** cakey, May 19, 2004, trustedCertEntry, Certificate fingerprint (MD5): B7:3B:9F:46:D8:B6:C5:83:96:B6:C9:09:0A:28:B9:A7 C:\j2sdk1.4.2_04keytool -import -alias cakey -file CARoot.cer -keystore c:\j2s dk1.4.2_04\jre\lib\security\cacerts -storepass ****** keytool error: java.lang.Exception: Certificate not imported, alias cakey alre ady exists C:\j2sdk1.4.2_04keytool -import -alias ftpkey -file CARoot.cer -keystore c:\j2 sdk1.4.2_04\jre\lib\security\cacerts -storepass ****** Certificate already exists in keystore under alias cakey Do you still want to add it? [no]: yes Certificate was added to keystore C:\j2sdk1.4.2_04keytool -list -alias ftpkey -keystore c:\j2sdk1.4.2_04\jre\lib\ security\cacerts -storepass ****** ftpkey, May 20, 2004, trustedCertEntry, Certificate fingerprint (MD5): B7:3B:9F:46:D8:B6:C5:83:96:B6:C9:09:0A:28:B9:A7 ******************************************************************************* Basically, here is what the certificate reply that was generated looks like: ----BEGIN CERTIFICATE----- MIIFUjCCBPygAwIBAgIKXHHUPQAAAAAADDANBgkqhkiG9w0BAQUFADCBhTElMCMG CSqGSIb3DQEJARYWd2Vic2VydmljZXNAaHRjaW5jLm5ldDELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAlNDMQ8wDQYDVQQHEwZDb253YXkxDDAKBgNVBAoTA0hUQzEVMBMG -----END CERTIFICATE---- ******************************************************************************** C:\j2sdk1.4.2_04keytool -import -alias ftpapplet -file ftpChainCertificate.cer -keypass ****** -trustcacerts -keystore keystore -storepass ****** sun.security.pkcs.ParsingException: Sequence tag error at sun.security.pkcs.PKCS7.parse(PKCS7.java:118) at sun.security.pkcs.PKCS7.init(PKCS7.java:68) at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.ja va:530) at sun.security.provider.X509Factory.engineGenerateCertificates(X509Fact ory.java:407) at java.security.cert.CertificateFactory.generateCertificates(Certificat eFactory.java:511) at sun.security.tools.KeyTool.installReply(KeyTool.java:1193) at sun.security.tools.KeyTool.doCommands(KeyTool.java:504) at sun.security.tools.KeyTool.run(KeyTool.java:124) at sun.security.tools.KeyTool.main(KeyTool.java:118) Caused by: java.io.IOException: Sequence tag error at sun.security.util.DerInputStream.getSequence(DerInputStream.java:266) at sun.security.pkcs.ContentInfo.init(ContentInfo.java:115) at sun.security.pkcs.PKCS7.parse(PKCS7.java:136) at sun.security.pkcs.PKCS7.parse(PKCS7.java:115) ... 8 more keytool error: java.security.cert.CertificateException: Sequence tag error C:\j2sdk1.4.2_04 Any help would be greatly appreciated. Thanks carusel777 ## DB:3.27:Keytool Error kz I m also facing the same problem, actually i had copied the response from verisign to file.cer and try to import it , it gives the same error could anybody guide me how to proceed • RELEVANCY SCORE 3.27 ## DB:3.27:How To Import Pkcs12 Certificate Into Keystore 89 hello I wonder, is it possible to import pkcs12 certificate into java keystore located in JAVA_HOME/jre/lib/security/cacerts ? Romek ## DB:3.27:How To Import Pkcs12 Certificate Into Keystore 89 I am going to assume that your cert is a CA root cert, not a personal cert. THere is a difference: A CA root cert has only a public key. A personal cert has both a private key and a public key. Go to Internet Explorer and Tools Internet Options Contents Certificate Import and import your *.pkcs12 certificate. Now see where it ends up in the tabs: "Trusted Root" or "Personal". From that same box, then select that certificate to set the focus and export it into an X.509 format (either binary DER or ascii Base64, keytool will figure it out). Then decide on an alias for the cert and import it. If you like, you can then delete it from IE. keytool -import -alias joe -keystore %JAVA_HOME%\jre\lib\security\cacerts -file joe_certfile.cer The default is to create a file called$HOME/.keystore . You might want to test it there before touching your cacerts. You might want to make an extra copy of cacerts, in case you mess it up. The password on cacerts is blank (just hit return).

There is more docs at

http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html

If you have a personal cert, I am not sure what IE does. If it works, great. Otherwise, you might want to look at the OpenSSL tool to convert it.

http://www.opensrs.org/

• RELEVANCY SCORE 3.27

## DB:3.27:Unable To Import Signed Cert In Keystore 8s

Hi everybody !

I've been using keytool for years to generate client certificates that I would send to an enrollment server to get it signed by the CA.
Here is the sequence :

(1) Generating the key pair :
keytool.exe -genkey -alias client-cert -keyalg RSA -keystore keystore (2) Extracting the certificate request :
keytool.exe -certreq -alias client-cert -file client-cert.csr -keystore keystore (3) Sending the request to the enrollment server, getting in return a signedcert.der

(4) Importing CA certificate in keystore :
keytool.exe -import -alias caroot -file ca.der -keystore keystore (5) Importing the signed client certificate in the keystore : keytool.exe -import -alias cert-client -file signedcert.der -keystore keystoreNow we'd like to use openssl to generate the CA certificate and sign the client-cert (which is still generated by keytool).
So instead of (3), we just have :
openssl ca -config ca-sign.cnf -out signedcert.crt -infiles client-cert.csr
openssl verify -CAfile ca.crt signedcert.crt
openssl x509 -in signedcert.crt -out signedcert.der -outform DEREverything runs fine for (4), but when we finally try to import the signedcert, we get this :
keytool error: java.security.cert.CertificateException: IOException: X509.Object
Identifier() -- data isn't an object ID (tag = 48)Some people here have already had the problem but got no answer.
What I'd like to know first is what does such an error MEAN exactly, then how can I manage to put my cert into the keystore.

FYI, we use keytool from JDK 1.3.0 and openssl 0.9.7
(I can post config file ca-sign.cnf if needed)

Thanks for your help

--
Valerien

## DB:3.27:Unable To Import Signed Cert In Keystore 8s

I got no answer either, so here's the solution for other unlucky people : use keytool from the latest JDK (1.4.1_01 ran fine).

Thank me very much.

• RELEVANCY SCORE 3.26

## DB:3.26:Re: Java Jdk 1.4.2 Keystore dz

Shucks - same deal - I thought that might do the trick...

C:\SupplyWEB\_jvm\binkeytool -import -alias supply -keystore supply_keystore -file supplyweb.weirminerals.com.crt
Enter keystore password: changeit
keytool error: java.lang.Exception: Failed to establish chain from reply

C:\SupplyWEB\_jvm\bin

Any other ideas?

BTW: My keystore is type: JKS and my cert is X.509 - any issues with that combo?

Thx.

-SP

## DB:3.26:Re: Java Jdk 1.4.2 Keystore dz

Hi,

The Sig Alg or alias did not matter.
You were right - should be the same.

I called the CA - go Dadddy SSL support...

Found out I was missing a root cert in the chain:

C:\SupplyWEB\_jvm\binkeytool -list -v -keystore tomcat_keystore
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: root
Creation date: Feb 19, 2010
Entry type: trustedCertEntry

Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc."
, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
", C=US
Serial number: 0
Valid from: Tue Jun 29 12:06:20 CDT 2004 until: Thu Jun 29 12:06:20 CDT 2034
Certificate fingerprints:
MD5: 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
SHA1: 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4

*******************************************
*******************************************

Here is the installed certificate:

Alias name: tomcat
Creation date: Feb 19, 2010
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=xxxxxx.weirminerals.com, OU=Domain Control Validated, O=xxxxxxxx.w
eirminerals.com
Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=ht
tp://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S
T=Arizona, C=US
Serial number: 41e2d34f7feb6
Valid from: Fri Feb 19 16:46:33 CST 2010 until: Tue Feb 08 15:50:26 CST 2011
Certificate fingerprints:
MD5: 9E:4E:90:F9:0B:41:17:EC:96:3F:44:C9:E6:3A:11:2A
SHA1: 8F:A8:52:01:0A:17:23:80:B9:63:68:7C:79:72:32:53:8A:48:E1:B6
Certificate[2]:
Owner: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=htt
p://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, ST
=Arizona, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
", C=US
Serial number: 301
Valid from: Wed Nov 15 19:54:37 CST 2006 until: Sun Nov 15 19:54:37 CST 2026
Certificate fingerprints:
MD5: D5:DF:85:B7:9A:52:87:D1:8C:D5:0F:90:23:2D:B5:34
SHA1: 7C:46:56:C3:06:1F:7F:4C:0D:67:B3:19:A8:55:F6:0E:BC:11:FC:44
Certificate[3]:
Owner: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc."
, C=US
Issuer: OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.
", C=US
Serial number: 0
Valid from: Tue Jun 29 12:06:20 CDT 2004 until: Thu Jun 29 12:06:20 CDT 2034
Certificate fingerprints:
MD5: 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
SHA1: 27:96:BA:E6:3F:18:01:E2:77:26:1B:A0:D7:77:70:02:8F:20:EE:E4

*******************************************
*******************************************

And results of the import command...

C:\SupplyWEB\_jvm\binkeytool -import -alias tomcat -keystore Tomcat_keystore -trustcacerts -file XXXXXXX.weirminerals.com.crt
Enter keystore password: changeit
Certificate reply was installed in keystore

Thanks again for all your help.

-SP

• RELEVANCY SCORE 3.26

## DB:3.26:Re-Reading The Certificates? 9a

Hi,

Is it possible to force an application (its related SSL infrastructure) to re-read a keystore after another keystore was used? I have an application which needs to talk to one HTTPS server (without using any keystore but just a truststore), retrieves a keystore from there, and then talk to another SSL server using the retrieved keystore.

Initially, I got a fatal "bad_certificate" error from com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(), so I realized it was because the SSLContext was still using the old setting of "no keystore".

So I thought what I needed to do was to get a new SSLContext, making it to re-read the certificates from the keystore (and truststore). Essentially, what I did was to getInstance() from SSLContext, and then init() it (after all the parameters were made ready), hoping to later set the default SSLContext to the new instance. (see the code below.) Unfortunately, I got an error message saying

java.security.KeyManagementException: Default SSLContext is initialized automatically
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.engineInit(Unknown Source)
at javax.net.ssl.SSLContext.init(Unknown Source)

What I don't understand is that I was initializing an instance of SSLContext (sslc2 in my code below), not the default SSLContext (sslc in my code), but the error message suggested that I was trying to init the default SSLContext.

Is this a bug in the implementation?

In general, how can I make an application to re-read the certificates? I hope I don't have to split my application into two processes (so that each process will get a fresh SSLContext with the right certificates).

Thanks!

Clement

the pseudo code follows
-----
SSLContext sslc = SSLContext.getDefault();
System.err.println(sslc.toString());

SSLContext sslc2 = SSLContext.getInstance(
SSLContext.getDefault().getProtocol(),
SSLContext.getDefault().getProvider()
);

/* set up KeyManagerFactory (kmf), KeyStore,
* TrustManagerFactory (tmf), TrustStore.
* Specifically, init the KeyManagerFactory with a
* new KeyStore object loaded with the new keystore file
*/

sslc2.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

SSLContext.setDefault(sslc2);-----

## DB:3.26:Re-Reading The Certificates? 9a

So omit the client authentication and just rely on the username and password. Client authentication via a system that tells it how to authenticate itself doesn't buy you any security whatsoever.

• RELEVANCY SCORE 3.25

## DB:3.25:Self Signed Certificate Incorrect Keystore Password? 8c

Hi everybody,

I'm starting to learn how to make self-signed certificates using keytool. I use the Keytool page to learn: http://download.oracle.com/javase/1.3/docs/tooldocs/win32/keytool.html
However I'm having a problem with an error saying that my keystore password is incorrect?!

Here is what I do:
-------------------------------
C:\Program Files\Java\jdk1.5.0_11\binkeytool -genkey -dname "cn=Paul Smith, ou=myOU, o=myO, c=US" -alias psmith -keypass kpassword -keystore psmisth.ks -storepass spassword -validity 360

C:\Program Files\Java\jdk1.5.0_11\binkeytool -export -alias psmith -file psmith.cer
Enter keystore password: kpassword
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

C:\Program Files\Java\jdk1.5.0_11\binkeytool -list -v -keystore psmith.ks
Enter keystore password: kpassword

Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: psmith
Creation date: 02-Aug-2011
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
[...]
-----------------------------------

I have tried to delete the .ks file and try again but nothing changed. I don't have any .keystore file in my folder.

Why does it say that my password is incorrect?

## DB:3.25:Self Signed Certificate Incorrect Keystore Password? 8c

Ok

I stupidly looked at the keytool doc in the section "Exporting a Certificate Authenticating Your Public Key" which gives:
keytool -export -alias mykey -file MJ.cerNow it works!
Thx

• RELEVANCY SCORE 3.24

## DB:3.24:J2me Ser - Java Serialized Object File (Sun) Private Key From Java Keystore ap

How do I get/create/obtain your ser file/private key?
I'm trying extracting it from Java Keystore file. Do you have any suggestions for me? Thank for you answer!!!

Is ser file a SER - Java Serialized Object File (Sun)?

## DB:3.24:J2me Ser - Java Serialized Object File (Sun) Private Key From Java Keystore ap

How do I get/create/obtain your ser file/private key?
I'm trying extracting it from Java Keystore file. Do you have any suggestions for me? Thank for you answer!!!

Is ser file a SER - Java Serialized Object File (Sun)?

• RELEVANCY SCORE 3.24

## DB:3.24:Problem Signing Midlet .Jar File. 3c

Hi,

Step - 1 :
======
- I have created a keystore first like.
- c: keytool -genkey -alias alias -keystore c:/abcd.sks -keyalg RSA*

o/p : So it created a keystore.

Step - 2:
======
- I imported my certificate from Verisign into the keystore..
- keytool -import -alias alias -keystore c:/abcd.sks -file CompanyCert.cer

o/p : The certificate imported successfully.

Problem :
=======
Problem occurs at the time of signing the jar file with jarsigner
jarsigner Myjar.jar alias

o/p :Jar is signed and It says, "your certificate will expire in six months". But our certificate has an expiry in 2011.
Also when the jar file installed in the mobile, it occurs as an invalid application.

## DB:3.24:Problem Signing Midlet .Jar File. 3c

Hi,

Step - 1 :
======
- I have created a keystore first like.
- c: keytool -genkey -alias alias -keystore c:/abcd.sks -keyalg RSA*

o/p : So it created a keystore.

Step - 2:
======
- I imported my certificate from Verisign into the keystore..
- keytool -import -alias alias -keystore c:/abcd.sks -file CompanyCert.cer

o/p : The certificate imported successfully.

Problem :
=======
Problem occurs at the time of signing the jar file with jarsigner
jarsigner Myjar.jar alias

o/p :Jar is signed and It says, "your certificate will expire in six months". But our certificate has an expiry in 2011.
Also when the jar file installed in the mobile, it occurs as an invalid application.

• RELEVANCY SCORE 3.24

## DB:3.24:How To Import .Pem Files Into Keystore? 7p

hi,

I have (client.pem and f1-n-ca.pem) .pem files a self generated keystore file.

Now I want to import:

client.pem = client key + cert f1-n-ca.pem = cacertd

into my generated keystore

How can i do that?

I am using Jboss AS 5 on Linux. Could someone please help?

Thanks.

## DB:3.24:How To Import .Pem Files Into Keystore? 7p

hi,

I have (client.pem and f1-n-ca.pem) .pem files a self generated keystore file.

Now I want to import:

client.pem = client key + cert f1-n-ca.pem = cacertd

into my generated keystore

How can i do that?

I am using Jboss AS 5 on Linux. Could someone please help?

Thanks.

• RELEVANCY SCORE 3.24

## DB:3.24:Problem Inputting A Secretkey Object Into A Keystore 9k

i am having some problem storing my secretkey object in a key store, i keep getting the error shown below

cannot resolve symbol - class SecretKeyEntry.

the whole class is shown below. i have tried to import the SecretKeyEntry class but i still get an error. can anybody help.

import java.io.*;
import javax.crypto.*;
import javax.crypto.spec.*;
import java.security.*;
import java.security.KeyStore.*;
//import java.security.KeyStore.SecretKeyEntry;
import java.security.spec.*;
import java.util.*;

public class Encrypt {

public static void main(String args[]) {

File desFile = new File("Saving a text document as an image file.doc");

// Create data to encrypt
Map map = new TreeMap(System.getProperties());
int number = map.size();

try {

// Create Key
KeyGenerator kg = KeyGenerator.getInstance("DES");
SecretKey secretKey = kg.generateKey();

// key store code start
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = {'f','r','a','n','k'};
System.out.println("my password" + password.toString());
ks.load(null, password);

// save my secret key
KeyStore.SecretKeyEntry skEntry = new KeyStore.SecretKeyEntry(mySecretKey);
ks.setEntry("secretKeyAlias", skEntry, password);

//keystore code end

// Create Cipher
Cipher desCipher =
Cipher.getInstance("DES/ECB/PKCS5Padding");
desCipher.init(Cipher.ENCRYPT_MODE, secretKey);

// Create stream
FileOutputStream fos = new FileOutputStream(desFile);
BufferedOutputStream bos = new BufferedOutputStream(fos);
CipherOutputStream cos = new CipherOutputStream(bos,
desCipher);
ObjectOutputStream oos = new ObjectOutputStream(cos);

// Write objects
oos.writeObject(map);
oos.writeInt(number);
oos.flush();
oos.close();

} catch (NoSuchPaddingException e) {
System.err.println("Padding problem: " + e);
} catch (NoSuchAlgorithmException e) {
System.err.println("Invalid algorithm: " + e);
} catch (InvalidKeyException e) {
System.err.println("Invalid key: " + e);
} catch (KeyStoreException e) {
System.err.println("Problem getting Keystore instance" + e);

} catch (IOException e) {
System.err.println("I/O Problem: " + e);
} catch (Exception e) {
System.err.println("All other exceptions" + e);
} finally {
if (desFile.exists()) {
//desFile.delete();
}
}
}
}

## DB:3.24:Problem Inputting A Secretkey Object Into A Keystore 9k

Haven't checked out the 1.5 apis yet, but under 1.4 in order to store SecretKey's you need to use a JCEKS keystore rather than the default JKS (as returned by Keystore.getDefaultType()). Try using KeyStore.getInstance("jceks") instead of KeyStore.getInstance(KeyStore.getDefaultType());

Rob

• RELEVANCY SCORE 3.23

## DB:3.23:Ssl Certificate Problems 1z

Please help - I have been reading all about SSL and I am still not able to get it to work. Right now I am trying to write the server side of the code, but I can't get past the accept statement. I keep getting the lovely error:
No available certificate corresponds to the SSL cipher suites which are enabled.
I have read up on the error in some forums and through Google, and tried two things:
System.setProperty("javax.net.ssl.keyStore", Path + "\\" + "keystoreFile");
System.setProperty("javax.net.ssl.keyStorePassword", "password");This did not work. So I tried to run it from the command line with:
java -Djavax.net.ssl.keyStore="C:\.....\keystoreFile" -Djavax.net.ssl.keyStorePassword="password" Serverand that gives me the same error. I believe I have created the keystore correctly with the following code:
BufferedInputStream bis = null;
CertificateFactory cf = null;
String password = "password";
try{
bis = new BufferedInputStream(new FileInputStream("C:\\Documents and Settings\\" + fileName));
cf = CertificateFactory.getInstance("X.509");
while (bis.available() 0) {
cert = cf.generateCertificate(bis);
System.out.println("Adding the cert with alias " + alias);
addToKeyStore(password.toCharArray(),alias, cert); //function below
}
bis.close();
}catch(Exception e){
System.out.println("Error adding give cert to keystore\n" + e);
try{
bis.close();
}catch(Exception r){
System.out.println("Error closeing br in addcert\n" + r);

}
System.exit(1);
}
//addToKeyStore method
try{
// Create an empty keystore object
System.out.println("Attmpting to open default keystore in addToKeyStore");
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
// Load the keystore contents
System.out.println("Opening key file");
FileInputStream in = new FileInputStream(keyFilePath);
System.out.println("Loading input from file into keystore");
System.out.println(in.available());
if(in.available()==0)
keystore.load(null,keystorePassword);
else
keystore.load(in, keystorePassword);
in.close();
// Add the certificate
System.out.println("setting cert entry with alias and cert");
keystore.setCertificateEntry(alias, addcert);
// Save the new keystore contents
System.out.println("saving the information to a new file");
FileOutputStream out = new FileOutputStream(keyFilePath);
keystore.store(out, keystorePassword);
out.close();
}catch(Exception e){
System.out.println("Error at addToKeyStore\n" + e);
}I have played with the above code with storing and retrieving certs, and it seems to work great. My certs were created using keytool and signed by a CA where I work. I have two certs: ca.pem and other.pem. I am not familar with how certs work so it is very possible that this is where my problem is, but I can use the methods of certs and pull up the data for the cert no problem. Any help at all would be greatly appreciated. Please tell me if you need more information.

## DB:3.23:Ssl Certificate Problems 1z

I am going to implement it a different way. Good luck to everyone else that might be having this problem.

• RELEVANCY SCORE 3.23

## DB:3.23:Please Read My Problem When I Configure Weblogic Https 9z

I want to use https protocol and SSL for my web application in Weblogic

I have a problem but I am not sure it's related to configuring Weblogic or not please if you can advice me

I use "openssl" to be my own Certificate Authority (CA)

I used this instructions for using openssl [http://www.g-loaded.eu/2005/11/10/be-your-own-ca/]

after configuring openssl I used these steps for creating my keystore

1. First I use this keytool for creating my private key and public key

keytool -genkeypair -keyalg rsa -keystore ali_keytool.jks -storepass ali120 -alias ali_alias

What is your first and last name?
[Unknown]: AliKhosravi
What is the name of your organizational unit?
[Unknown]: Boors
What is the name of your organization?
[Unknown]: software
What is the name of your City or Locality?
[Unknown]: Tehranali_keytool.jks
What is the name of your State or Province?
[Unknown]: Tehran_Province
What is the two-letter country code for this unit?
[Unknown]: IR
Is CN=AliKhosravi, OU=Boors, O=software, L=Tehran, ST=Tehran_Province, C=IR correct?
[no]: y

2. I create my CSR by this command

keytool -certreq -alias ali_alias -keystore ali_keytool.jks -storepass ali120 -file ali_keytool.csr

3. I sign the ali_keytool.csr by openssl . I do it like this :

openssl x509 -req -in ali_keytool.csr -CA certs/myca.crt -CAkey private/myca.key -out ali_keytool.crt -days 365 -CAcreateserial -CAserial my_ca.seq

4.Now my I have a signed certificate (ali_keytool.crt) and my CA certificate (myca.crt)
and I import CA certificate to my keystore

keytool -import -alias Openssl_ca -file myca.crt -keystore ali_keytool.jks -storepass ali120

5. I import the signed certificate into my keystore by alias of private key

keytool -import -alias ali_alias -file ali_keytool.crt -keystore ali_keytool.jks -storepass ali120

6. I import the CA certificate again into a new keystore for creating Trust

keytool -import -alias my_ca -file myca.crt -keystore ali_keytool_trust.jks -storepass ali120

(
All steps done without any errors
I used this address for help [http://www.startux.de/java/44-dealing-with-java-keystores]
)

Now I want to configure kestores ans ssl in Weblogic

7. I go to the Environment--Servers--AdminServer--Keystore tab in wblogic

8. I set "Keystores=Custom Identity and Custom Trust", "Custom Identity Keystore = H:\trust\ali_keytool.jks" , "Custom Identity Keystore Type=jks" ,
"Custom Identity Keystore Passphrase:ali120"
"Confirm Custom Identity Keystore Passphrase=ali120"
"Custom Trust Keystore=H:\trust\ali_keytool_trust.jks" , "Custom Trust Keystore Type=jks" ,
"Custom Trust Keystore Passphrase=ali120" , "Confirm Custom Trust Keystore Passphrase=ali120"

9. Then I go to SSL tab and I set "Identity and Trust Locations=Keystores" , "Private Key Alias=ali_alias" ,"Private Key Passphrase=ali120",
"Confirm Private Key Passphrase=ali120"

10. I go to the General tab and select "SSL Listen Port Enabled"

11. I user Firefox as WebBrowser so I configure my Browser I select Tools--Options--ViewCertificates -- Authorities tab
and I import the server certificate here is "myca.crt the openssl certificate"
in Downloading Certificate window I select
"Trust this CA to identify web sites"
"Trust this CA to identify email users"
"Trust this CA to identify software developers"

12. I restart Weblogic

13. I try to loging in weblogic like this "https://127.0.0.1:7002/console"

The webBroser show me this warning:

This Connection is Untrusted
You have asked Firefox to connect
securely to 127.0.0.1:7002, but we can't confirm that your connection is secure.
Normally, when you try to connect securely,
sites will present trusted identification to prove that you are
going to the right place. However, this site's identity can't be verified.
What Should I Do?

If you usually connect to
this site without problems, this error could mean that someone is
trying to impersonate the site, and you shouldn't continue.

Technical Details
I Understand the Risks

I don't know why the WebBrowser show me this warning while I imported the Server Certificate

I don't know that my problem is in configuring WebLogic or FireFox WebBrowser or Keystore

If you know please advice me

Thanks

## DB:3.23:Please Read My Problem When I Configure Weblogic Https 9z

Moderator Action:
You already aked this question a couple of weeks earlier:
My problem when I enable SSL in Weblogic and I don't have a trusted CA cert

This is a user-to-user forum.
There is no obligation that anyone respond. They will answer if they choose to.

If there is a business need for a resolution, use your service contract privileges and open a support ticket with Oracle Support.
http://www.oracle.com/us/support/contact-068555.html

---
This duplicate forum post is locked.

• RELEVANCY SCORE 3.23

## DB:3.23:Client Servlet Not Talking To Secure Servlet. 38

I am a bit desperate for a solution. Problem as below.

I have requirement to implement SSL in Oracle Application Server. I have started testing it on OC4J standalone first. The requirement is my client(servlet) deployed in "client" webapp in OracleAS InstanceA(exposed to world) has to talk to another servlet in webapp "secureapp" in OracleAS InstanceB(within the company firewall).

I have done my SSL configuration fine on OracleAS InstanceB
My client servlet in client webapp is not able to talk to secure servlet in secureapp webapp.

I have defined secure-web-site.xml and mentioned 4443 to use for secure communication and defined under ssl element as follows.

ssl-config factory="com.evermind.ssl.JSSESSLServerSocketFactory" keystore="C:/.../securekeys/cmskeystore" keystore-password="123456" truststore-password=""/

Caling https://localhost:4443/ brings to my browser my certificate.

Also I have extracted client certificate from keystore and imported them to JDK trustore with the following commands.
C:\...\securekeyskeytool -export -alias mykey -keystore cmskeystore -rfc -file test.cer
Enter keystore password: 123456

C:\...\securekeyskeytool -import -v -trustcacerts -alias mykey -file test.cer
-keystore C:\PROGRA~1\Java\jdk1.5.0_12\jre\lib\security\cacerts

list the certificates shows my client certificates is stored in the trustore.
C:\PROGRA~1\Java\jdk1.5.0_12\jre\lib\securitykeytool -list -v -keystore cacerts

Calling from a Standalone Java program my secure servlet works fine when I am using HttpClient from jakarta commons.
But it outputs in the System.err file following.
WARNING No X509Certificate found in the HTTP request object.

In my client servlet I set following System properties which I feel is not needed.
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");

System.setProperty("javax.net.ssl.trustStore","C://.....//securekeys//cmskeystore");
System.setProperty("javax.net.ssl.trustStorePassword", "pwd123");

But calling from client servlet throws following exception in the browser.
500 Internal Server Error
Servlet error: An exception occurred. The current application deployment descriptors do not allow for including it in this response. Please consult the application log for details.

The code used in the client servlet for calling secure servlet is as follows(Note following code works fine with standalone java but not from servlet).
HttpClient httpclient = new HttpClient();
GetMethod httpget =
new GetMethod("https://localhost:4443/secureapp/secure/FormServlet?formName=testForm");
httpget.releaseConnection();

What is it that I am missing for secure communication from basic servlet to secure servlet. Why err log output says
WARNING No X509Certificate found in the HTTP request object.

## DB:3.23:Client Servlet Not Talking To Secure Servlet. 38

We suggest you try the HTTPClient library that comes with OC4J. In the OC4J standalone install directory, http_client.jar is located at ./j2ee/home/lib. In OC4J 10.1.3.1 up, HTTPClient is in your application class path by default.

Here are some guidelines for using HTTPClient and SSL: http://www.oracle.com/pls/as10132/search?remark=word=HTTPClientbook=preference=method=TEXTvbook=

Here is the HTTPClient javadoc:
http://iasdocs.us.oracle.com/iasdl/101320_final/web.1013/b32117/toc.htm

Generally, HTTPClient delegates SSL to JSSE.

Your Apache Commons HTTPClient code:
HttpClient httpclient = new HttpClient();
GetMethod httpget =
new GetMethod("https://localhost:4443/secureapp/secure/FormServlet?formName=testForm");
httpget.releaseConnection();
-----------------------
translates to:
HTTPConnection conn = new HTTPConnection( "HTTPS", "localhost", 4443 );
HTTPResponse resp = conn.Get( "/secureapp/secure/FormServlet?formName=testForm" );
String pageContent = resp.getText();
conn.stop()

• RELEVANCY SCORE 3.23

## DB:3.23:I Need To Create Java Key Store From Existing Private Key And Certificate A 8d

i tried to create my keystore entry using the keytool command

-genkey {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] [-provider provider_class_name] {-v} {-Jjavaoption}

and than i am trying to import ca.pem certification chain..

But problem is that i have existing client code in vc++ and i have CA.pem(certification authority) and key.pem(containing private key) and i need to create my keystore entry using these two files so that i can use these to connect to my existing server.

please give me some way out and also tell what should i do next with my keystore file so that i can use java.security and java.crypto to connect to server.

Message was edited by:
miryaver

## DB:3.23:I Need To Create Java Key Store From Existing Private Key And Certificate A 8d

i tried to create my keystore entry using the keytool command

-genkey {-alias alias} {-keyalg keyalg} {-keysize keysize} {-sigalg sigalg} [-dname dname] [-keypass keypass] {-validity valDays} {-storetype storetype} {-keystore keystore} [-storepass storepass] [-provider provider_class_name] {-v} {-Jjavaoption}

and than i am trying to import ca.pem certification chain..

But problem is that i have existing client code in vc++ and i have CA.pem(certification authority) and key.pem(containing private key) and i need to create my keystore entry using these two files so that i can use these to connect to my existing server.

please give me some way out and also tell what should i do next with my keystore file so that i can use java.security and java.crypto to connect to server.

Message was edited by:
miryaver

• RELEVANCY SCORE 3.23

## DB:3.23:Convert Pkcs12 Keystore To Jks Keystore am

is it possible to convert a pkcs12 keystore to JKS?
i have a file keystore.p12 who's certificate and key i would like to store in a java keystore.

thanks

## DB:3.23:Convert Pkcs12 Keystore To Jks Keystore am

ziggy wrote:
is it possible to convert a pkcs12 keystore to JKS?
i have a file keystore.p12 who's certificate and key i would like to store in a java keystore.

thanksPlease don't post the same topic multiple times.
Try looking here:

[http://www.mail-archive.com/openssl-users@openssl.org/msg41349.html|http://www.mail-archive.com/openssl-users@openssl.org/msg41349.html]

• RELEVANCY SCORE 3.23

## DB:3.23:Invalid Keystore Format 7j

I have a Java applet (called PALS) that was developed with version 1.5 update 7. It has been signed with a digital certificate from Thawte. Recently a customer had her Windows XP machine re-imaged, and that image comes with the Java 6 JRE. Others have had this done and were still able to run my applet, but she gets an error message that complains about an "invalid keystore format."

I tried going into the Java Console and removing the user's PALS certificate, but it also complains about the keystore format. I then tried just removing Java 6 and installing Java 5, hoping that that would would clear things up, but she gets the same error.

Am I correct that when a user runs my applet the certificate is read from the JAR file and placed in a keystore on their machine? If the keystore has the wrong format, can I just delete it, and where is that file? I thought it was supposed to have the name .keystore but I can't find that anywhere.

## DB:3.23:Invalid Keystore Format 7j

That was where I was expecting to find it, but it's not there. On a machine that hasn't been corrupted like my customer's, I can open up the Java Control Panel, go to the Security tab, click on certificates, and see the certificate that was used to sign the JAR file, but I don't have a .keystore file.

If it hasn't saved it in a file, where did it put it?

Thanks for your reply.

• RELEVANCY SCORE 3.22

## DB:3.22:Keytool Error: Java.Lang.Exception: Public Keys In Reply And Keystore Don't Match - Web Logic 10.3.6.0 Linux 64 Bit 9z

Hi,Followed Oracle recommended note for generating .csr file (Doc ID 1230333.1)01) $keytool -genkey -alias server.alias -keyalg RSA -keysize 1024 -dname "CN=ServerName,OU=Office,O=OTS,L=Location,S=SW,C=GB" -keypass mypass -keystore ServerName.jks -storepass mypass02) copy ServerName.jks ServerName.jks.org03)$keytool -list -v -keystore ServerName.jks -storepass mypass04) $keytool -certreq -v -alias server.alias -file ServerName.csr -keypass mypass -storepass mypass -keystore ServerName.jks05) Sent the .csr file to CA06) ived a filename.cer certificate.07) rated Root ServerNameRootCert.cer and Intermediate Certificate ServerNameRootInterCert.cer from filename.cer certificateImporting Root CA into the keystore ServerName.jks08)$keytool -import -v file ServerNameRootCert.cer -keystore ServerName.jks -trustcacerts -alias AliasOne09) $keytool -import -v file ServerNameRootInterCert.cer -keystore ServerName.jks -trustcacerts -alias AliasTwoNow importing the actual certificate using the alias server.alias in the above step 01) and 04)10)$keytool -import -v file ServerName.cer -keystore ServerName.jks -alias server.alias -keypass -storepassGetting error messagekeytool error: java.lang.Exception: Public keys in reply and keystore don't match java.lang.Exception: Public keys in reply and keystore don't match at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618) at sun.security.tools.KeyTool.installReply(KeyTool.java:1870) at sun.security.tools.KeyTool.doCommands(KeyTool.java:807) at sun.security.tools.KeyTool.run(KeyTool.java:172) at sun.security.tools.KeyTool.main(KeyTool.java:167)Is that anything wrong with the Certificate what is issued by CA? Is the java version need to be different?Current Java Version java version "1.6.0_29" Java(TM) SE Runtime Environment (build 1.6.0_29-b11) Oracle JRockit(R) (build R28.2.0-79-146777-1.6.0_29-20111005-1807-linux-x86_64, compiled mode)Any suggestions please?Thanks,Kam

## DB:3.22:Keytool Error: Java.Lang.Exception: Public Keys In Reply And Keystore Don't Match - Web Logic 10.3.6.0 Linux 64 Bit 9z

Import the intermediate cert first then the root and then the signed server certificate.The alias of root and intermediate doesnt matter, but make sure that the alias of server cert is same as the alias of the private key entry.Have a look at the following example :https://blogs.oracle.com/blogbypuneeth/entry/steps_to_create_a_csr

• RELEVANCY SCORE 3.22

## DB:3.22:Migration: Javakey To Keytool/Jarsigner With An X509 Certificate 89

I know this question has been posted in numerous places, numerous times, but I just haven't found a useful answer to it, so I feel I need to post it again. My apologies if this is overkill.

I have been using an x509 certificate to sign a JAR intended for use in a Java plugin (such as Oracle's JInitiator and Sun's JRE 1.1.x). The commands I use to sign the plugin JAR file are (names skewed for protection):

javakey -r MyCert
javakey -cs MyCert true
javakey -ikp MyCert Cert_pub Cert_priv
javakey -ic MyCert MyCert.x509
javakey -gs MyCert.sign MyPlugin.jar

So the above commands 1) create an alias in the identitydb.obj file, 2) associate a public and private key with that alias, 3) import a certificate for that alias, and 4) sign the jar file with the MyCert.sign directive file, which directs javakey to use the MyCert alias when signing the jar file). This works quite well.

We are now attempting to sign using the Java 2 security model with keytool and jarsigner, and I am having a real problem using my existing certificate to do so.

Instructions from Sun say to generate a CSR and provide that CSR to a signing authority (such as Verisign), but I shouldn't have to do this since I already have a certificate that is valid until the year 2050!

I have tried a couple of different scenarios in attempting to sign a JAR for use in JRE 1.3+/1.4+ using keytool and jarsigner.

Scenario #1:

1. Import the x509 certificate into a new keystore:

keytool -noprompt -import -file MyCert.x509 -keystore .mykeystore -keypass mykeypass -alias MyCert -storepass mypass

2. Sign the file, using the certificate in the newly created keystore:

jarsigner -keystore .mykeystore -keypass mykeypass -storepass mypass -sigfile MyPlugin -signedjar MyPlugin.jar.sig MyPlugin.jar MyCert

3. Result: keytool command succeeds with "Certificate was added to keystore" message, but jarsigner command returns the following error:

jarsigner: Certificate chain not found for: MyCert. MyCert must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

Scenario #2:

1. Import the x509 certificate into a JDK 1.1-style identitydb.obj file, using the public and private keys as well as the certificate itself:

javakey -r MyCert
javakey -cs MyCert true
javakey -ikp MyCert Cert_pub Cert_priv
javakey -ic MyCert MyCert.x509

2. Transfer the certificate from the identitydb.obj file to a new keystore:

keytool -noprompt -identitydb -file identitydb.obj -keystore .mykeystore -keypass mykeypass -alias MyCert -storepass mypass

3. Sign the file, using the certificate in the newly created keystore:

jarsigner -keystore .mykeystore -keypass mykeypass -storepass mypass -sigfile MyPlugin -signedjar MyPlugin.jar.sig MyPlugin.jar MyCert

4. Result: certificate is added to identitydb.obj file (this is how we currently sign our 1.1-based plugin JAR file), and certificate seems to transfer correctly to the new keystore (message returned from keytool is "Creating keystore entry for MyCert ..."), but the following error occurs from the jarsigner command: "jarsigner: key associated with MyCert not a private key"

Is it possible to use an existing private key and x509 certificate to populate a keystore and sign a JAR file? Or must I buy a new certificate just to achieve the "generate a key" step?

Thanks in advance,

Shawn Bertrand

## DB:3.22:Migration: Javakey To Keytool/Jarsigner With An X509 Certificate 89

I got the same problem trying to move from javakey to keystore. But, I finally made it work.

$keytool -identitydb -file identitydb.obj \ -keypass password -alias MyAlias -storepass password Creating keystore entry for MyAlias ...$ jarsigner -storepass password -keypass password jndi.jar MyAlias

• RELEVANCY SCORE 3.22

## DB:3.22:No Identity Key/Certificate Entry Was Found Under Alias Test Keystore kc

I created a keystore using the command

keytool -genkey -alias test-keystore c:\TestKeyStore\test1

Then imported certificates which i downloaded from the targets website

keytool -import -alias itestcomodo -keystore c:\TestKeyStore\test1.jks -trustcacerts -file (.cer file name)
keytool -import -alias TestEXternalCARoot -keystore c:\TestKeyStore\test1.jks -trustcacerts -file (.cer file name)
keytool -import -alias TestPrimaryIntermediate -keystore c:\TestKeyStore\test1.jks -trustcacerts -file (.cer file name)
keytool -import -alias TestSecondaryIntermediate -keystore c:\TestKeyStore\test1.jks -trustcacerts -file (.cer file name)

Then I added the certificates to the java cacert file and to oracle weblogic cacaert file

C:\oracle\Middleware\wlserver_10.3\server\lib\cacerts

I setup under weblogic admin console

Keystore type as Custome identity and Java Standard keystore and included test1.jks with the passphrase.
Similarly I configured the ssl tab but I am geting the following alert on weblogic console

Jan 25, 2012 1:12:43 PM EST Notice Security BEA-090171 Loading the iden
tity certificate and private key stored under the alias test from the JKS
keystore file c:\TestKeyStore\test1.jks
Jan 25, 2012 1:12:43 PM EST Alert Security BEA-090168 No identity key/c
ertificate entry was found under alias test in keystore c:\TestKeyStore\test1.jks

After this going down i get SSL Handshake error saying The security certificate recieved from (the target website) was not
signed properly.

Please help.

Thanks,

## DB:3.22:No Identity Key/Certificate Entry Was Found Under Alias Test Keystore kc

you can learn few basics from below link :

http://www.weblogic-tips.com/2008/07/27/how-to-configure-self-sign-certificate-on-weblogic-server/

http://www.weblogic-tips.com/2008/07/27/configuring-commercial-certificates-on-weblogic-server/

http://www.weblogic-tips.com/2008/07/27/steps-to-create-self-sign-certificates-for-weblogic-server/

In simple words , I would say that Private key and Public key exist in pair . Private key in case of weblogic server is used for encrypting the data and public key is used for decrypting the data which is a mandatory step in SSL handshake .

You can learn process of Handshake for below link which is very important to learn SSL .

http://www.weblogic-tips.com/2010/05/20/two-way-ssl-on-weblogic-server/

Thanks,
Sandeep

Edited by: sandeep_singh on Jan 26, 2012 10:04 PM

• RELEVANCY SCORE 3.22

## DB:3.22:Keystore kp

hi
how do I create keystore file when my default keystore file(jks) does not exist?
regards
neda

## DB:3.22:Keystore kp

hi
thank you for answering to my question
but don't work keytool ,I more explain my problem for you
I want create csr by keytool option but my computer not found default keystore implemention (jks) and don't work correct , so I decide create keystore and I do your work order (keytool -genkey -alias nedmas -keystore nedmas.ks -storetype JKS -keyalg rsa -storepass nedmas123 -keypass nedmas123"
)but dont work correct , for more your understand:
example:
I write C:\keytool -certreq
in answer: keytool error: keystore file does not exist:c:\window\.keystore
other example:
I write C:\keytool -genkey
in answer : not found jks
I write keytool -genkey -alias nedmas -keystore nedmas.ks -storetype JKS -keyalg rsa -storepass nedmas123 -keypass
in answer :show keytool options (such as -list -keypasswd -printcert and so on)
please guide me
thank you
regards
NEDA

• RELEVANCY SCORE 3.22

## DB:3.22:How To Create Keystore From Existing Private Key &Amp; Signed Certificate ma

Hi all,

Hope I can explain this adequately for you to understand.

Backgound:
I'm running a webserver (Apache 1.3x) which needed SSL. I used OpenSSL to generate the server private key (private.key) and then a CSR which was sent to Network Solutions. I now have a NS Root Certificate (root.cert) and my signed certificate (signed.cert). This is all working as far as HTTPS is concerned.

The problem:
I now need to start a Java app via webstart and the JAR file needs to be signed. I have done this using jarsigner on the test server with a self signed certificate in a keystore and all is ok. But for the production server I need to use our signed certificate. From my understanding of the keystore I generally need the following, 1. Private key, 2. Root certificate, 3. Signed certificate. The problem I have is how to create the keystore required by jarsigner from these 3 seperate files. I'm under the impression you cannot import a public key into a keystore and of course my private key needs to be the one used to create the CSR/public certificate etc.

I hope I've explained my problem. As you may have guessed my programming experience is not Java, any help will be gratefully appreciated.

## DB:3.22:How To Create Keystore From Existing Private Key &Amp; Signed Certificate ma

There's no use including NS's root cert into the keychain. In order for it be trusted by a client, you need to make sure NS's root cert is included in the client side's cacert file.

AFAIK, if your signed jar is provided as a Java Applet or a Java Webstart app, the Java Plugin will also use root certs from the browser's cert store. This means if NS's root cert is included in IE's cert store, it's also OK.

BTW, when you sign your jar file, did jarsigner print out a warning like "signer cert's KeyUsage does not allow code signing"? Probably you have a multi-purpose cert? That's cool.

• RELEVANCY SCORE 3.21

## DB:3.21:Encrypting Soap Message With A Supplied Cert Containing A Public Key 7k

Hi all:

I have been given a wsdl file and generated the ws proxy using jdev 10.1.3.0
now I want to secure the proxy.

the web service publisher has provided my with a *.cert file (containing a public key) for encryption and a *.pfx file containing a Private Key for signing.

I have used PKCS12Import to import the pfx file into a new keystore called ks.jks:

java PKCS12Import ClientPrivateKey.pfx ks.jks

I have then used keytool to import the *.cert file into the keystore:

keytool -import -file ServerPublicKey.cer -alias joelcert -keypass bctest -keystore ks.jks -storepass bctest

then view the contents of the keystore:

keytool -list -keystore ks.jks

Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries

joelcert, 10-Nov-2006, trustedCertEntry,
Certificate fingerprint (MD5): 11:67:E2:99:B1:34:95:0A:EF:65:E8:23:A2:05:C0:EB
privatekey, 10-Nov-2006, keyEntry,
Certificate fingerprint (MD5): 17:73:FC:6D:AF:8E:3F:1B:8C:6B:53:7B:8A:00:25:E9
-----------------------------------------------------------------------------------------------------------------------
In Jdeveloper I have set the properties using the keystore and the aliases for the private key and the cert, but when I run JDeveloper it throws exception:

2006-11-10 11:45:01.187 ERROR No key exists for alias joelcert

I am lost, can someone please help me understand this? I have never worked with ws security before.

Thanks,
Jose

## DB:3.21:Encrypting Soap Message With A Supplied Cert Containing A Public Key 7k

My handler is successfully creating the encryption headers and encrypting the body.

Unfortunately, Oracle's digital signature generating code is creating a SECOND wsse:Security element in the header, causing a fault/exception from the recipient. {Since there is only one actor/role, more than one wsse:Security tag is disallowed by the OASIS WS-Security standard.}

• RELEVANCY SCORE 3.18

## DB:3.18:Jsse Handshake Failing; Buffer Too Small? k9

We are having an issue with SSL connections failing from our clients to our java based SSL daemon.

We require two-way authentication to connect to this daemon so generally we add new certificates whenever a new client comes on board.

Currently we simply add the new trusted certificates into our keystore with our certificate chain and then in java we point both the keystore and the trust store to the same keystore.

Just recently we have had clients failing to be able to connect to the daemon so I ran some tests with "-Djavax.net.debug=ssl" set.

I ran tests with a single client and used the current keystore and then three archived older keystores.

The tests with keystores where this one cliaent failed to connect all had the same failure point. Here is a sample from the log:

===========================
...
***
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:

...dump of the authorities in our keystore...

qtp3686138-128, WRITE: SSLv3 Handshake, length = 16384
*** ServerHelloDone
qtp3686138-128, WRITE: SSLv3 Handshake, length = 320
qtp3686138-126, called closeOutbound()
qtp3686138-126, closeOutboundInternal()
qtp3686138-126, SEND SSLv3 ALERT: warning, description = close_notify
qtp3686138-126, WRITE: SSLv3 Alert, length = 2
Using SSLEngineImpl.

============================

Here is a sample at the same point in time with a keystore with a successful connect

============================

...

***
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:

...dump of the authorities in our keystore...

*** ServerHelloDone
qtp18350021-132, WRITE: SSLv3 Handshake, length = 16233
Using SSLEngineImpl.
qtp18350021-131, called closeOutbound()
qtp18350021-131, closeOutboundInternal()
qtp18350021-129, READ: SSLv3 Handshake, length = 1077
*** Certificate chain

.....

============================

What bothers me about the failures is that there are always the two WRITE log entries with one which a length of 16384 and then a second write with some remaining bytes. 2^14 is 16384 and this smells to me like a buffer limit.

qtp3686138-128, WRITE: SSLv3 Handshake, length = 16384
*** ServerHelloDone
qtp3686138-128, WRITE: SSLv3 Handshake, length = 320

All of the successes had less than 16384 and so there was only one WRITE entry.

The keystores have the following:

Entry Count Test
==========================
keystore -4 76 Good
keystore -3 77 Good
keystore -2 80 Fail
keystore -1 81 Fail
keystore (current) 79 Fail

In an attempt to try to fix the problem some older certificates have been removed from the keystore. But this is not really a fix. We can have new clients show up every day who wish to use this daemon.

Am I on the right track here?

Thanks!

..billg

## DB:3.18:Jsse Handshake Failing; Buffer Too Small? k9

Currently we simply add the new trusted certificates into our keystore with our certificate chain and then in java we point both the keystore and the trust store to the same keystore.Wrong wrong wrong. The keystore is a high-security item containing your private key. It must be under a very strict change regime and indeed a very strict access regime. Otherwise your private key can leak and you are open to all kinds of impersonation attacks. The truststore is basically a public file containing known CAs and doesn't need to be any regime particulaarly. Combining them is a major security risk. You need to fix this pronto.
*** CertificateRequest
qtp3686138-126, called closeOutbound()Unless there is a missing '*** Certificate Chain' message in between those two lines, the client didn't respond with a certificate. Either it doesn't have one or it doesn't have one that is ultimately signed by one of those CAs. And as the server is presumably configured with needClientAuth=true, it closed the connection when the next message from the client after the cert request wasn't a cert chain.
*** CertificateRequest
*** Certificate chainSee?

And fix your keystore/truststore usage, it is a security disaster waiting to happen.

• RELEVANCY SCORE 3.18

## DB:3.18:Import Certificats Of Firefox Into Keystore 1s

Hi,

I should want import the certificats of Firefox (or Internet Explorer, or other navigator) into the keystore with java 1.4.2.

How is it possible ?

Thanks.

## DB:3.18:Import Certificats Of Firefox Into Keystore 1s

Hi,

I should want import the certificats of Firefox (or Internet Explorer, or other navigator) into the keystore with java 1.4.2.

How is it possible ?

Thanks.

• RELEVANCY SCORE 3.18

## DB:3.18:Unable To Access Vcloud Director Vm Console pk

Good morning,

Were facing a very strange issue when trying to access a virtual machine console through the vCloud Director 5.6 Web Portal.

Let me describe the environment:

1 - 2 vCloud Director Cells;

2 - 1 Load Balancer;

3 - 1 VIP for the console proxy; 1 VIP for the web portal;

4 - 1 wildcard CA-signed certificate (*.domain) instead of the regular 2 host certificates (http.domain and consoleproxy.domain);

5 - The following procedure was used to create the Java Keystore and be able to import the same certificate twice (each time with a different alias):

openssl pkcs12 -in /keystore/company.pfx -out /keystore/company.pem

openssl pkcs12 -export -in /keystore/company.pem -inkey /keystore/company.key -out /keystore/company_http.p12 -name "http"

openssl pkcs12 -export -in /keystore/company.pem -inkey /keystore/company.key -out /keystore/company_console.p12 -name "consoleproxy"

keytool -v -importkeystore -srckeystore /keystore/company_console.p12 -srcstoretype PKCS12 -destkeystore /keystore/company.ks -deststoretype JCEKS

keytool -v -importkeystore -srckeystore /keystore/company_http.p12 -srcstoretype PKCS12 -destkeystore /keystore/company.ks -deststoretype JCEKS

6 - Running "keytool -list -keystore /keystore/company.ks -storetype JCEKS" shows both aliases within the keystore;

7 - vCD installer did not complain about it;

8 - Certificate is loaded correctly when accessing the web portal

Now the issue:

1 - Web portal opens as it should;

2 - Every kind of action is possible and works fine;

3 - When we open a VM console for the first time, it opens normally;

4 - If we close it and try to reopen, or if we try to open a second console, it wont open;

5 - Depending on the browser:

5.1 - Console stays black; Status starts at "Connecting"; Changes to "Disconnected" after a short while;

5.2 - Console stays blank; Status freezes at "Loading"; Sometimes it goes to "Disconnected";

6 - If we reboot both cells, it starts all over (able to open the first console; unable to open the rest);

7 - Same behavior if accessing using the VIP (through the load balancer) or directly (using the Cells internal IP address).

Ive seen some topics with what appeared the same problem but no conclusive answer.

Any help on this topic would be appreciated.

Thank you very much.

## DB:3.18:Unable To Access Vcloud Director Vm Console pk

Fixed it.

1 - Upgrade from vCD 5.6.3 to 5.6.4.

2 - Something with the VMs we had deployed for testing. We erased them and the new ones did not have the behavior.

• RELEVANCY SCORE 3.17

## DB:3.17:How To Import A .Pfx File Into Keystore f9

We want to download a .pfx file (containing private key and certificates) from a web server and import the content of the .pfx into the BlackBerry keystore on the device. Unfortunately we were only able to import certificates (.cer) but not .pfx files with a private key.
Any idea on how to implement this ?

## DB:3.17:How To Import A .Pfx File Into Keystore f9

I have also been looking for the same outcome here...

SMIME doesn't work as advertised and there are too many factors and broken loops in regarding to fetching certificates.

i would love to at least get the .cer public keys and package them into alx and cod file so i can deploy them wirelessly.

• RELEVANCY SCORE 3.17

## DB:3.17:Root Certificate Is Not Trusted sp

Hi!

I have installed the internatlly signed certificates according to steps in the Oracle documentation, however, I still ge the error that "This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store".

Below is the error I receive when starting UCM server:
27-Dec-2011 13:39:18 o'clock CET Notice Security BEA-090898 Ignoring th
e trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=
(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=V
eriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certi
ficate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object
: 1.2.840.113549.1.1.11.

I get this error when I click on the certificate in the browser. Below are the steps I performed. Can anyone help me understand, perhaps, I import my certificates incorrectly?

1. I've created a custom keystore using the following command:
keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -dname CN=domain name like test.com etc, OU=unite like Customer Support etc, O=your organization, L=your location, ST=state, C=country code like US -keystore identity.jks

2. Next, I generated a certificate sign-in request using this command:
keytool -certreq -alias mykey -file cert.csr -keystore identity.jks

3. After I received three certificates signed in by our internatl authority, main, intermediate, root. I imported each one of them.

4. I inserted those one by one into my custom store generated during step1 first. I used the following command for each certificate:
keytool -import -trustcacerts -keystore mystore.jks -storepass password -alias Root -import -file Trustedcaroot.txt

5.I also inserted all three into JAVA_HOME cacerts file, located on C:/Program Files/Java/jrockit.../jre/lib/security/cacerts using the same command as in step 4.

Next, I configured UCM_server 1 KEYSTORE to use Custom Identity and Java Trust. and pointed Custom Identity to my custom keystore file created in step1 and Java Trust to cacerts file updated in step5.

Despite of all steps above I cannot get the certificates to work. When I look at the certificate, it tells me that "This CA Root certificate is not turested. To enable trust, install this certificate in the Trusted Root Certification Authorities store".

Edited by: 867498 on 27-Dec-2011 05:45

## DB:3.17:Root Certificate Is Not Trusted sp

I've managed to get rid of the error, however the certificate still does not reflect the trusted chain and doesn't point to the "Root" certificate. Any ideas?

• RELEVANCY SCORE 3.17

## DB:3.17:Custom Trustmanager Example Which Asks User For Trustability 8s

Hi!

For I needed a trustmanager which shows an untrusted server certificate to the user and asks him if the certificate can be considered trustable I wrote an own trustmanager. As it took much time to find out how to do this here is my code to shorten your time if you need a similar functionality:

NOTE:
If a certificate is declared trustable by the user it is stored in a local keystore file. So if you use the code in an applet you need to sign it to get the appropriate permissions.

To use it you have to put the following code where you get your SSLSocketFactory:

try{
SSLContext sslContext=SSLContext.getInstance("SSL","SunJSSE");
TrustManager[] tm={new StoreCertTrustManager()};
sslContext.init(null,tm,null);
factory = ( SSLSocketFactory) sslContext.getSocketFactory();
}catch(Exception e) { ... }

Here is the implementation of the StoreCertTrustManager:

/**
* This class implements a TrustManager for authenticating the servers certificate.
* It enhances the default behaviour.
*/

class StoreCertTrustManager implements X509TrustManager {
/** The trustmanager instance used to delegate to default behaviour.*/
private TrustManager tm=null;

/** Password for own keystore */
private final char[] keyStorePassword=new String("changeit").toCharArray();

/** Path to own keystore. Store it into the home directory to avoid permission problems.*/
private final String keyStorePath=System.getProperty("user.home")+"/https-keystore";
/** The stream for reading from the keystore. */
FileInputStream keyStoreIStream=null;
/** The instance of the keystore */
private KeyStore keyStore=null;

/**
* Creates a TrustManager which first checks the default behaviour of the X509TrustManager.
* If the default behaviour throws a CertificateException ask the user if the certificate
* should be declared trustable.
*
* @throws Exception: If SSL - initialization failed.
*/

StoreCertTrustManager() throws Exception {
/* Try to set the truststore system property to our keystore
* if we have the appropriate permissions.*/
try{
File httpsKeyStore=new File(keyStorePath);
if(httpsKeyStore.exists()==true) {
System.setProperty("javax.net.ssl.trustStore",keyStorePath);
}
}catch(SecurityException se) {}

/* Create the TrustManagerFactory. We use the SunJSSE provider
* for this purpose.*/
TrustManagerFactory tmf=TrustManagerFactory.getInstance("SunX509", "SunJSSE");
tmf.init((java.security.KeyStore)null);
tm=tmf.getTrustManagers()[0];
/* Something failed we could not get a TrustManager instance.*/
if(tm == null) {
throw new SSLException("Could not get default TrustManager instance.");
}

/* Create the file input stream for the own keystore. */
try{
keyStoreIStream = new FileInputStream(keyStorePath);
} catch( FileNotFoundException fne ) {
// If the path does not exist then a null stream means
// the keystore is initialized empty. If an untrusted
// certificate chain is trusted by the user, then it will be
// saved in the file pointed to by keyStorePath.
keyStoreIStream = null;
}
/* Now create the keystore. */
try{
keyStore=KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(keyStoreIStream,keyStorePassword);
}catch(KeyStoreException ke) {
System.out.println("Loading of https keystore from file "+keyStorePath+" failed. error message: "+ke.getMessage());
keyStore=null;
}
}

/**
* Authenticates a client certificate. For we don't need that case only implement the
* default behaviour.
*
* @param chain In: The certificate chain to be authenticated.
* @param authType In: The key exchange algorithm.
*/
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
((X509TrustManager)tm).checkClientTrusted(chain,authType);
}
/**
* Authenticates a server certificate. If the given certificate is untrusted ask the
* user whether to proceed or not.
*
* @param chain In: The certificate chain to be authenticated.
* @param authType In: The key exchange algorithm.
*/

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
/* Output the certifcate chain for debugging purposes */
System.out.println("got X509 certificate from server:");
for(int i=0; ichain.length; i++) {
System.out.println("chain["+i+"]: "+chain.getIssuerDN().getName());
}

try{
/* First try the default behaviour. */
((X509TrustManager)tm).checkServerTrusted(chain,authType);
}catch(CertificateException ce) {
System.out.println("in checkServerTrusted: authType: "+authType+", got certificate exception: "+ce.getMessage());
/* If we got here the certificate is untrusted. */

/* If we could not craete a keystore instance forward the certificate exception. So we have
* at least the default behaviour. */
if(keyStore==null || chain == null || chain.length==0) {
throw(ce);
}
try{
/* If we could not find the certificate in the keystore
* ask the user if it should be treated trustable. */
AskForTrustability ask=new AskForTrustability (chain);
boolean trustCert=ask.showCertificateAndGetDecision();
if(trustCert==true) {
// Add Chain to the keyStore.
for (int i = 0; i chain.length; i++)
{
keyStore.setCertificateEntry
(chain[i].getIssuerDN().toString(), chain[i]);
}
// Save keystore to file.
FileOutputStream keyStoreOStream =
new FileOutputStream(keyStorePath);
keyStore.store(keyStoreOStream, keyStorePassword);
keyStoreOStream.close();
keyStoreOStream = null;
System.out.println("Keystore saved in " + keyStorePath);
} else {
throw(ce);
}
}catch(Exception ge) {
/* Got an unexpected exception so throw the original exception. */
System.out.println("in checkServerTrusted: got exception type: "+ge.getClass()+" message: "+ge.getMessage());
throw ce;
}
}
}

/**
* Merges the system wide accepted issuers and the own ones and
* returns them.
*
* @return: Array of X509 certificates of the accepted issuers.
*/
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] cf=((X509TrustManager)tm).getAcceptedIssuers();
X509Certificate[] allCfs=cf;

if(keyStore != null) {
try{
Enumeration ownCerts=keyStore.aliases();
Vector certsVect=new Vector();
while(ownCerts.hasMoreElements()) {
Object cert=ownCerts.nextElement();
certsVect.add(keyStore.getCertificate(cert.toString()));
}
int newLength=cf.length+certsVect.size();
allCfs=new X509Certificate[newLength];
Iterator it=certsVect.iterator();
for(int i=0; inewLength ; i++) {
if(icf.length) {
allCfs[i]=cf[i];
} else {
allCfs[i]=(X509Certificate)it.next();
}
}
}catch(KeyStoreException e) {}
}
for(int i=0; iallCfs.length;i++) {
System.out.println("allCfs["+i+"]: "+allCfs[i].getIssuerDN());
}
return allCfs;
}

/**
* This class implements an interactive dialog. It shows the contents of a
* certificate and asks the user if it is trustable or not.
*/
class AskForTrustability implements ActionListener, ListSelectionListener {
private JButton yes=new JButton("Yes"),no=new JButton("No");
/** default to not trustable */
private boolean isTrusted=false;
private JDialog trust=null;
private JList certItems=null;
private JTextArea certValues=null;
private JComboBox certChain=null;
private final String certParms[]={"Version","Serial Number","Signature Algorithm", "Issuer", "Validity Period", "Subject", "Signature","Certificate Fingerprint"};
private X509Certificate[] chain;
private int chainIdx=0;

/**
* Creates an instance of the class and stores the certificate to show internally.
*
* @param chain In: The certificate chain to show.
*/
AskForTrustability (X509Certificate[] chain) {
this.chain=chain;
}

/**
* This method shows a dialog with all interesting information of the certificate and
* asks the user if the certificate is trustable or not. This method block

## DB:3.17:Custom Trustmanager Example Which Asks User For Trustability 8s

I think is the forum problem, some thing like are disapeared.....

• RELEVANCY SCORE 3.17

## DB:3.17:Jboss Security Keystore File Problem k3

what type of keystore file jboss neee? I have generated a keystore file that works fine with stand alone tomcat. However, the same keystore file does not work with JBoss. Anyone has any solution to this problem? Thank you in advance!http://www.qtbot.com

## DB:3.17:Jboss Security Keystore File Problem k3

Use keytool.http://wiki.jboss.org/wiki/Wiki.jsp?page=CreateAKeystore

• RELEVANCY SCORE 3.17

## DB:3.17:No Cert Sent From Java Client To Iis Server mx

Hey anyone can help? I got an urgent problem. Here's the background:

1. I need to send an xml to a https IIS server that authenticates by digital cert.

2. I have generated a keystore using the following cmd:
keytool -genkey -alias mykey -keystore mykeystore -keyalg rsa

3. I exported a public key/certificate using the keystore generated in step 2:
keytool -export -rfc -alias mykey -v -keystore mykeystore -file client.cer

4. I sent the cert generated in step 3 to the server for them to install.

5. The server sent me a public key and I have imported it into my keystore:
keytool -import -trustcacerts -file server.cer -keystore mykeystore

6. There no need for a CA here cos the server just explicitly trust my public key.

Here's where the problems comes. I use HttpsURLConnection to connect to the server's https url. It seems that no cert was actually being sent over(have used getLocalCertificates method to find out). And the server always reject me. I have not attached any code here, cos it might become too long.

Really urgent. I got no untrusted cert msg also. But it seems that there's always no cert being sent out.

Help!!!

## DB:3.17:No Cert Sent From Java Client To Iis Server mx

did u fine any solution to this.

I am also having the same problem as IIS server returns me HTTP 403 Access Forbidden error

• RELEVANCY SCORE 3.16

## DB:3.16:Problems Loading A Keystore With Java Webstart ff

Hello, I have a standalone application that is basically a WS client. It connects to a secure WS, which uses certificates to authenticate, deployed on JBoss AS7. Everything works fine (both keystore and truststore are loaded) when I launch the app from my IDE, but when I try as a webstart app comes the trouble.The problem is that when launched from webstart, keystore is not loaded. On the other hand, the truststore loads perfectly. Webstart console output:trustStore is: /home/matijav/Downloads/certs/matija.truststoretrustStore type is : JKStrustStore provider is : init truststoreadding as trusted cert: Subject: CN=matija, OU=Dev, O=SL, L=Lj, ST=Slo, C=SI Issuer: CN=matija, OU=Dev, O=SL, L=Lj, ST=Slo, C=SI Algorithm: RSA; Serial number: 0x52b45d57 Valid from Fri Dec 20 16:08:07 CET 2013 until Thu Mar 20 16:08:07 CET 2014Because of this, when my app tries to connect to the WS I get com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate.Here is my configuration:In JNLP I have defined all-permissions. security all-permissions//securityAll jars are signed with a same, self-generated certificate.For the first time (and if the user wants to change) the application asks the user in a JDialog for keystore/pass and truststore/pass combination. With KeyStore keyStore = KeyStore.getInstance("JKS");keyStore.load(new FileInputStream(certificate), passwordField.getPassword());I check that that the keystore/truststore and pass matches. If the combination matches everything is set to system properties:System.setProperty("javax.net.ssl.keyStore", keyStore);System.setProperty("javax.net.ssl.trustStore", trustStore);System.setProperty("javax.net.ssl.keyStorePassword", keyStorePsw);System.setProperty("javax.net.ssl.trustStorePassword", trustStorePsw);System.setProperty("javax.net.ssl.keyStoreType", "JKS");System.setProperty("javax.net.ssl.trustStoreType", "JKS");Then the WS is called:port = new MyService(url).getMyPort();final MapString,Object requestContext = ((BindingProvider)port).getRequestContext();requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, connection.getEndpoint());port.callMethod(params); and here, when the app tries to authenticate to JBoss WS mechanism, I get bad_certificate exception.From what I understand the problem is that the keystore is not loaded so then obviously the WS call fails. Can anyone explain to me why the keystore is not loaded and what am I missing?Thank you,Matija

## DB:3.16:Problems Loading A Keystore With Java Webstart ff

Hello, I have a standalone application that is basically a WS client. It connects to a secure WS, which uses certificates to authenticate, deployed on JBoss AS7. Everything works fine (both keystore and truststore are loaded) when I launch the app from my IDE, but when I try as a webstart app comes the trouble.The problem is that when launched from webstart, keystore is not loaded. On the other hand, the truststore loads perfectly. Webstart console output:trustStore is: /home/matijav/Downloads/certs/matija.truststoretrustStore type is : JKStrustStore provider is : init truststoreadding as trusted cert: Subject: CN=matija, OU=Dev, O=SL, L=Lj, ST=Slo, C=SI Issuer: CN=matija, OU=Dev, O=SL, L=Lj, ST=Slo, C=SI Algorithm: RSA; Serial number: 0x52b45d57 Valid from Fri Dec 20 16:08:07 CET 2013 until Thu Mar 20 16:08:07 CET 2014Because of this, when my app tries to connect to the WS I get com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate.Here is my configuration:In JNLP I have defined all-permissions. security all-permissions//securityAll jars are signed with a same, self-generated certificate.For the first time (and if the user wants to change) the application asks the user in a JDialog for keystore/pass and truststore/pass combination. With KeyStore keyStore = KeyStore.getInstance("JKS");keyStore.load(new FileInputStream(certificate), passwordField.getPassword());I check that that the keystore/truststore and pass matches. If the combination matches everything is set to system properties:System.setProperty("javax.net.ssl.keyStore", keyStore);System.setProperty("javax.net.ssl.trustStore", trustStore);System.setProperty("javax.net.ssl.keyStorePassword", keyStorePsw);System.setProperty("javax.net.ssl.trustStorePassword", trustStorePsw);System.setProperty("javax.net.ssl.keyStoreType", "JKS");System.setProperty("javax.net.ssl.trustStoreType", "JKS");Then the WS is called:port = new MyService(url).getMyPort();final MapString,Object requestContext = ((BindingProvider)port).getRequestContext();requestContext.put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, connection.getEndpoint());port.callMethod(params); and here, when the app tries to authenticate to JBoss WS mechanism, I get bad_certificate exception.From what I understand the problem is that the keystore is not loaded so then obviously the WS call fails. Can anyone explain to me why the keystore is not loaded and what am I missing?Thank you,Matija

• RELEVANCY SCORE 3.15

## DB:3.15:Securing Keystore Key zs

Hi,

I am in a dilemma to secure my keystore key. In my Application, I use java.security.Keystore class. And the only way I could find to securely store the keystore key is to write it encoded into a file, but this is very weak.

What would you do in such a situation, gurus?

Thanx

## DB:3.15:Securing Keystore Key zs

Ja, but in the application everything must be automatic. If I encrypt the file which I put the keystore key, then how will I provide security for the encryption key? :-) I think deadlock is here.

Thanx

• RELEVANCY SCORE 3.15

## DB:3.15:Using A Pkcs12 Key With Java's Keytool ad

Folk,

I struggled for the longest time using a PKCS12 key to sign jars / applets with the Java Keytool.

Despite documentation stating otherwise, JDK 1.4 (beta 3) and JSSE 1.0.2 would not let me sign files from a PKCS12 keystore exported from MIE / Netscape, or exported from IBM Http Server Key Management Utility.

Anyway, the solution I found to work was to install the security class libraries from Wedgetail (http://www.wedgetail.com/jcsi/index.html).

Following their instructions I setup my JDK 1.3. vm, allowing me to now read proper PKCS12 key stores.

Having proven that I could now read PKCS12 keystores (using keytool -list -keystore xxxx.p12 -storetype PKCS12). I then set about converting a PKCS12 keystore into a jks keystore. The following simple code will do this job for you, and then you can delete the Wedgetail / JCSI classes / setup and use the output jks keystore file with the standard JRE / JDK security tools such as keytool.

Hope this is useful.

Regards,

Roger Spall (NOSPAMroger@logicent.comSPAM)

import java.security.*;
import java.io.*;
// assumes you are using a 3rd party keystore library
// for pkcs12 key stores. For some reason, JDK 1.4 won't
// read pkcs12 files exported from MIE / Netscape

class Convert {
static public void main(String[] args) throws Exception {
try {
//pkcs12 keystore
KeyStore ks = KeyStore.getInstance("pkcs12");
//jks keystore
KeyStore ks2 = KeyStore.getInstance("jks");

// load the pkcs12 file
ks.load(new FileInputStream("F:\\spall.p12"),"password".toCharArray());

// load the jks file (have to have an existing one)
ks2.load(new FileInputStream("F:\\.keystore"),"password".toCharArray());

//read the p12 certificate
java.security.cert.Certificate [] cc = ks.getCertificateChain("p12alias");
Key k = ks.getKey("p12alias", "password".toCharArray());

// add to keystore and save
ks2.setKeyEntry("keystorealias", k, "password".toCharArray(),cc);
FileOutputStream out = new FileOutputStream("F:\\new.keystore");
ks2.store(out, "password".toCharArray());
out.close();

} catch (Throwable e) { e.printStackTrace(); } } }

## DB:3.15:Using A Pkcs12 Key With Java's Keytool ad

Actually, I have had no problems at all in reading pkcs12 files exported from netscape with keytool, provided you have JSSE installed. Note that the support is ONLY reading pkcs12 files (not generating pkcs12 keystores) as stated at:
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE

See also:
http://home.iSTAR.ca/~neutron/jssesign/ and
http://home.iSTAR.ca/~neutron/Thawte/

- Mitch

• RELEVANCY SCORE 3.15

## DB:3.15:Keystore Problem 7f

Hi,Friends

I want to dynmatically to get keystore.
however,

I always get an exception says:

java.io.IOException: DER input, Integer tag error

what my certificate file is: export from web browser tool-option-Certificates - other People -Export
and select DER encoded binary X.509.

Here is my source:

KeyStore keystore = KeyStore.getInstance( "PKCS12" );
keystore.load( new FileInputStream( "D:\\certificate\\509.cer" ), "changeit".toCharArray() );

Thanks in advanced

## DB:3.15:Keystore Problem 7f

I thought you said the password wasn't 'changeit'?

• RELEVANCY SCORE 3.15

## DB:3.15:How To Add A New Certificate To Jre1.6 Keystore? ac

Hi guys,
I'n new into Java Programing and I'm trying to add a new certificate to the jre1.6 keystore but I'm facing a small problem! when I try to run the below command line I get this massage"
The filename, directory name, or volume label syntax is incorrect."

"C:\Program Files\Java\jre6\bin\keytool" -keystore "C:\Program Files\Java\jre6\lib\security\cacerts" -import -file D:\cert.cer

Thanks

## DB:3.15:How To Add A New Certificate To Jre1.6 Keystore? ac

Dinesh,

Can u guide me on how to generate stubs in Eclipse Using Axis2 for Web Services2.0.
How to mao the name space for packages.

Thanks and Regards
Tirupathi Rao.P

Edited by: 854094 on Apr 22, 2011 4:17 AM

• RELEVANCY SCORE 3.14

## DB:3.14:Using Ldap As A Keystore/Truststore 37

Hi,

I have a Java application that must open secure communication with a WEB Server. Today, my Java application uses the default keystore/truststore provided by JSSE (stored into PKCS12 file format).

I would like to store the truststore/keystore into an LDAP DB and that my Java Application will use directly LDAP as a repository for keystore/truststore and not anymore the PKCS12 files.

How can I do that? Do I need to implement a specific KeyManager and TrustManager? Is there an library that implement that? BR,

Sebastien.

## DB:3.14:Using Ldap As A Keystore/Truststore 37

I'm doing the same thing right now, done with the truststore implementation but still writing the keystore part.

We're using Tomcat 5.5.x so I had to create my own SSLImplementation. I suggest that you download Tomcat's source code and look at the org.apache.tomcat.util.net.jsse package to see how they did it.

You'd want to check out JSSESocketFactory.getStore(), in particular, Tomcat reads from a file (only) so you'd have to implement similar methods(s) that that reads from your LDAP server instead.

HTH.

• RELEVANCY SCORE 3.14

## DB:3.14:Ssl Connection Keystore(Multiple Entries) kx

Hello

i have folllowing situation:

i made a keystore file with 2 entries
keytool -genkey -alias nr1 -keystore keystore
..
keytool -genkey -alias nr2 -keystore keystore
...

After that i made two different truststores (for each nr?):

keytool -export -keystore keystore -alias nr1 -file nr1.cer
keytool -export -keystore keystore -alias nr2 -file nr2.cer

keytool -import -keystore nr1 -alias nr1 -file nr1.cer
keytool -import -keystore nr2 -alias nr2 -file nr2.cer

So in the end i hava one keystore (keystore) and 2 truststores (nr1 and nr2)

Now if i try to connect with the nr1 certificate all works fine.

If i try it with nr2 it doesnt work. I get following exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.secur
y.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) ................

Anyone can help me out?

thanks for any help

Michael

## DB:3.14:Ssl Connection Keystore(Multiple Entries) kx

Hi,

have you found the solution? I have the same problem...

• RELEVANCY SCORE 3.13

## DB:3.13:Problems Signing Applet In Jdk 1.3.1 7p

Hi,
I have signed and deployed applets in 1.4.1. Since we have to port it to jdk 1.3.1, i have repeated the process ( recreated the certificate and signed the jar file using keytool, jarsigner shipped with jdk v 1.3.1_04). Now I am getting the java.security.cert.CertificateException: Unable to verify the certificate with root CA.

These are the steps I followed.
1. Created a keystore and certificate using keytool:
keytool -genkey -alias krishna -keystore keystore . It prompted me for a store password, and I have supplied it.
keytool -export -alias krishna -keystore keystore -file testcert.crt. It generated the certificate.
Then I added both the keystore ( which might not be necessary) as well as testcert.crt files to the jar file.
and I signed it using jarsigner. The jarsigner -verify says the jar is verified.
But after loading the html file, I get the CertificateException.
I don't have this problem when I first used 1.4.1

Do I have to use policy files. This would be inconvenience to the users if they have to import those policy files.

TIA,
Krishna

I am attaching the java console traces:
--------------------------------------------------
java.security.cert.CertificateException: Unable to verify the certificate with root CA
at sun.plugin.security.TrustDecider.isAllPermissionGranted(Unknown Source)
at sun.plugin.security.PluginClassLoader.getPermissions(Unknown Source)
at java.security.SecureClassLoader.getProtectionDomain(Unknown Source)
at java.security.SecureClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.defineClass(Unknown Source)
at java.net.URLClassLoader.access$100(Unknown Source) at java.net.URLClassLoader$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(Unknown Source)
at sun.applet.AppletClassLoader.findClass(Unknown Source)
at sun.plugin.security.PluginClassLoader.findClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadClass(Unknown Source)
at java.lang.ClassLoader.loadClass(Unknown Source)
at sun.applet.AppletClassLoader.loadCode(Unknown Source)
at sun.applet.AppletPanel.createApplet(Unknown Source)
at sun.plugin.AppletViewer.createApplet(Unknown Source)
at sun.applet.AppletPanel.runLoader(Unknown Source)
at sun.applet.AppletPanel.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

## DB:3.13:Problems Signing Applet In Jdk 1.3.1 7p

I am having the same problem, did you manage to find a solution?

Thanks,

DeltaCoder

• RELEVANCY SCORE 3.13

## DB:3.13:2way Ssl, Keystore Question 3m

I have managed to setup apache and my java client to do 2way SSL.
Further more, I configured apache to only allow access to a folder when the CN of the client certificate matches a predefined CN.

Now, my question:

This only seems to work when the client uses the keystore as PKCS12. When I use the JKS keystore, I get the well known: "java.net.SocketException: Software caused connection abort: recv failed" error.

So, when I do it like this:

-Djavax.net.ssl.keyStore=d:\certs\client-java\clientCert.p12
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.keyStoreType=PKCS12
-Djavax.net.ssl.trustStore=d:\certs\client-java\truststore
-Djavax.net.ssl.trustStorePassword=changeitEverything goes fine.

When I do it like this:

-Djavax.net.ssl.keyStore=d:\certs\client-java\keystore
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=d:\certs\client-java\truststore
-Djavax.net.ssl.trustStorePassword=changeitIt doesn't work (recv failed).
Does anyone has a explanation for this ?

The contents of keystore:

keytool -list -keystore keystore
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

mycert, 2-aug-2006, trustedCertEntry,
Certificate fingerprint (MD5): 79:A5:CB:93:9E:66:42:55:38:1B:0F:F2:B3:55:72:E9
mykey, 2-aug-2006, keyEntry,
Certificate fingerprint (MD5): A5:4F:E6:54:3D:99:7E:57:60:9C:F0:CF:47:DC:C4:DEI created keystore like this:

1. keytool -genkey -keysize 1024 -keyalg RSA -keystore keystore
2. keytool -certreq -file request.csr -keystore keystore

signed the request.csr with openssl and my own CA

3.keytool -import -file signedcert.pem -keystore keystore

## DB:3.13:2way Ssl, Keystore Question 3m

I have managed to setup apache and my java client to do 2way SSL.
Further more, I configured apache to only allow access to a folder when the CN of the client certificate matches a predefined CN.

Now, my question:

This only seems to work when the client uses the keystore as PKCS12. When I use the JKS keystore, I get the well known: "java.net.SocketException: Software caused connection abort: recv failed" error.

So, when I do it like this:

-Djavax.net.ssl.keyStore=d:\certs\client-java\clientCert.p12
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.keyStoreType=PKCS12
-Djavax.net.ssl.trustStore=d:\certs\client-java\truststore
-Djavax.net.ssl.trustStorePassword=changeitEverything goes fine.

When I do it like this:

-Djavax.net.ssl.keyStore=d:\certs\client-java\keystore
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=d:\certs\client-java\truststore
-Djavax.net.ssl.trustStorePassword=changeitIt doesn't work (recv failed).
Does anyone has a explanation for this ?

The contents of keystore:

keytool -list -keystore keystore
Enter keystore password: changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

mycert, 2-aug-2006, trustedCertEntry,
Certificate fingerprint (MD5): 79:A5:CB:93:9E:66:42:55:38:1B:0F:F2:B3:55:72:E9
mykey, 2-aug-2006, keyEntry,
Certificate fingerprint (MD5): A5:4F:E6:54:3D:99:7E:57:60:9C:F0:CF:47:DC:C4:DEI created keystore like this:

1. keytool -genkey -keysize 1024 -keyalg RSA -keystore keystore
2. keytool -certreq -file request.csr -keystore keystore

signed the request.csr with openssl and my own CA

3.keytool -import -file signedcert.pem -keystore keystore

• RELEVANCY SCORE 3.13

## DB:3.13:Client Certificate - Response Code: 403 ma

Hi,
I'm hitting into a "Server returned HTTP response code: 403" when trying to access a site requiring a client cert/authentication. The site that I'm trying to access has provided me a client cert (public/private key) to use when accessing the site. The certificate is in .pfx-format. I know the cert works because if I install it in a browser (IE or Mozilla on Solaris) it works perfect to access the site. When I try to use it in my code I hit into a "Server returned HTTP response code: 403". Because the client certificate is in .pfx-format I could not use keytool to import it into a keystore so I used BouncyCastleProvider to access the .pfx file directly. Here's my code:

java.security.Provider provider =
new org.bouncycastle.jce.provider.BouncyCastleProvider();
java.security.Security.addProvider(provider);
System.out.print("creating secure random...");
SecureRandom secureRandom = new SecureRandom();
secureRandom.nextInt();
System.out.println("done!");

System.out.print("getting the server trust/keystore...");
KeyStore serverKeyStore = KeyStore.getInstance("JKS");
System.out.println("done!");
System.out.print("loading the servers public key...");
serverKeyStore.load(new FileInputStream("/usr/java/jre/lib/security/cacerts"),
"changeit".toCharArray() );
System.out.println("done!");

System.out.print("loading my private key...");
KeyStore clientKeyStore = KeyStore.getInstance("PKCS12", "BC");
clientKeyStore.load(
new FileInputStream("/home/mabe/clientcert.pfx" ),
"SV".toCharArray() );
System.out.println("done!");

System.out.print("initializing truststore...");
TrustManagerFactory tmf = TrustManagerFactory.getInstance( "SunX509" );
tmf.init( serverKeyStore );
System.out.println("done!");

System.out.print("initializing keystore...");
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
kmf.init( clientKeyStore, "".toCharArray() );
System.out.println("done!");
//print out the aliases from the client keystore, to see that we really got the cert
System.out.println("aliases in keystore:");
Enumeration e = clientKeyStore.aliases();
while(e.hasMoreElements())
System.out.println(e.nextElement());

System.out.print("getting the sslcontext...");
SSLContext sslContext = SSLContext.getInstance( "TLS" );
sslContext.init( kmf.getKeyManagers(),
tmf.getTrustManagers(),
secureRandom );
System.out.println("done!");

URL myUrl =
new java.net.URL("https://bla.bla.bla");
HttpsURLConnection conn =
(javax.net.ssl.HttpsURLConnection) myUrl.openConnection();
conn.setSSLSocketFactory(sslContext.getSocketFactory());
InputStream in = conn.getInputStream();

BufferedReader reader =
new BufferedReader(new InputStreamReader(in));

String tmp = "";
while ((tmp = reader.readLine()) != null)
{
System.out.println(tmp);
}

And here is the output:

creating secure random...done!
getting the keystore...done!
loading the servers public key...done!
loading my private key...done!
initializing truststore...done!
initializing keystore...done!
aliases in keystore:
57e720cd2a8b9abea9ac42c6a13aed40_67817e58-6eef-418c-93e8-bcd1b4604bb0
getting the sslcontext...done!
Boom!
java.io.IOException: Server returned HTTP response code: 403 for URL: https://bla.bla.bla.
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:791)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(DashoA6275)
at Client.init(Client.java:81)
at Client.main(Client.java:11)

So it seems to me that I never send the client cert to the server... or am I missing something important? The strange alias you see in the output I think is a Microsoft thing (the cert was created, I think, in a Microsoft environment). If I use KeyStore explorer (http://www.lazgosoftware.com/kse/) I can load the .pfx-file into a keystore and view it, then I se another alias.

Is there any way to find out that the client cert is being sent? I tried to understand the output from javax.net.debug=ssl, but it was to much, If you are interested I will gladly post it.

So, do you guys have any clue why this aint working? Any help would be great!
regards
Mange

## DB:3.13:Client Certificate - Response Code: 403 ma

Hi,
found a soloution on this forum, I imported the .pfx-keypair in Netscape and then exported (used backup in Netscape) it as a .p12-file, then it worked!
/mange

• RELEVANCY SCORE 3.13

## DB:3.13:Signed Jar Problem With Keystore pf

hi all,

first let my explain the environment of my problem.

im using tomcat 5.5 to test my applet, its installed on my local machine and accessed with the URL http:localhost:8080 and i use jdk1.6_13
i have a jar file GetPrintJob.jar which cantains a GetPrintJob.class....this jar is placed in the root of a web application named dog-breed with direct access, so to access the applet i have to refer to the URL http://localhost:8080/dog-breed/hi.html
where hi.html contains the applet tag.

now i have created private/public key pair with keytool utility as follow:

keytool -genkeyi set the key store password and filled all the required field and the pair is saved with alias mykey in .keystore key storage.

then i signed my GetPrintJob.jar with the alias mykey as follow:

jarsigner GetPrintJob.jar mykeythen my GetPrintJob.jar is now signed and i placed it in the root of dog-breed web application.

then i exported the public certificate from .keystore as follows:

keytool -export -alias mykey -file hisham.certhen i imported the certificate into cacerts as follows:

keytool -import -alias hisho -file hisham.cer -keystore "c:\program files\java\jdk1.6_13\jre\lib\security\cacerts"i entered the password pass to cacerts certificate store and trusted the certificate.

i used policytool to edit my java.policy file and did the follow
from edit menu i opened keystore-edit

i placed in keystore URL the following "c:\program files\java\jdk1.6_13\jre\lib\security\cacerts "
and in the keyStore Type the following "jks"

i then opened the java.policy in "c:\program files\java\jdk1.6_13\jre\lib\security\java.policy" using policytool and added the following:

CodeBase "http://localhost:8080/*" , SignedBy "hisho"

but when i press done button a status dialog appears with the folowing warining: A public key for alias hisho does not exist.Make sure a keystore is properly configured.

im totally new in security field and i spent 4 days now but i couldnt find an answer.

so please give my your advice and show me whats wrong

Edited by: wolfheart_2001 on Jun 24, 2009 4:25 AM

Edited by: wolfheart_2001 on Jun 24, 2009 4:27 AM

Edited by: wolfheart_2001 on Jun 24, 2009 4:28 AM

## DB:3.13:Signed Jar Problem With Keystore pf

i placed in keystore URL the following "c:\program files\java\jdk1.6_13\jre\lib\security\cacerts "The keystore URL, if points to a file on the local system,. should look like

file:c:/program files/java/jdk1.6_13/jre/lib/security/cacerts

• RELEVANCY SCORE 3.12

## DB:3.12:Weblogic Administrator Server Won't Start After A Fresh Wcc Install xp

Hi guys, i followed this [install documentation|http://docs.oracle.com/cd/E23943_01/doc.1111/e14538/qiecm.htm#sthref8] to install wls and WCC on a OEL6 (64bit), all went relatively smoothly. Then when I get ready to start weblogic admin server for the first time, it errors out on me.

system:
-Oracle Enterprise Linux6 (64bit)
-WebLogic Server 12.1.1
-Webcenter Content 11g
-Oracle DB 11g

basic steps I've took:
1) RCU installed UCM, URM, IPM, and IBR schemas into 11g DB
2) installed wls, created a basic domain (base_domain) with Admin Server as a place holder
3) installed WCC, create new domain (wcc_domain) with Admin Server
4) start wls Admin Server: $WCC_DOMAIN_HOME/bin/startWebLogic.sh 5) error....... [high level error msg] Feb 12, 2013 10:27:07 PM oracle.security.jps.internal.keystore.file.FileKeyStoreManager openKeyStore WARNING: Opening of file based keystore failed. Feb 12, 2013 10:27:07 PM CST Error Security BEA-090892 The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed. Feb 12, 2013 10:27:07 PM CST Critical WebLogicServer BEA-000386 Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed. weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed. at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1402) at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1022) at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873) at weblogic.security.SecurityService.start(SecurityService.java:148) at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64) Truncated. see log file for complete stacktrace Caused By: oracle.security.jps.JpsRuntimeException: JPS-06514: Opening of file based keystore failed. at oracle.security.jps.internal.policystore.PolicyDelegationController.init(PolicyDelegationController.java:167) at oracle.security.jps.internal.policystore.JavaPolicyProvider.init(JavaPolicyProvider.java:369) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) Truncated. see log file for complete stacktrace Caused By: oracle.security.jps.JpsException: JPS-06514: Opening of file based keystore failed. at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPDPService(PolicyUtil.java:2855) at oracle.security.jps.internal.policystore.PolicyUtil.getPDPService(PolicyUtil.java:3099) at oracle.security.jps.internal.policystore.PolicyDelegationController.init(PolicyDelegationController.java:164) at oracle.security.jps.internal.policystore.JavaPolicyProvider.init(JavaPolicyProvider.java:369) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) Truncated. see log file for complete stacktrace Caused By: oracle.security.jps.service.keystore.KeyStoreServiceException: JPS-06514: Opening of file based keystore failed. at oracle.security.jps.internal.keystore.file.FileKeyStoreManager.openKeyStore(FileKeyStoreManager.java:374) at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.doInit(FileKeyStoreServiceImpl.java:105) at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.init(FileKeyStoreServiceImpl.java:77) at oracle.security.jps.internal.keystore.file.FileKeyStoreServiceImpl.init(FileKeyStoreServiceImpl.java:67) at oracle.security.jps.internal.keystore.KeyStoreProvider.getInstance(KeyStoreProvider.java:157) Truncated. see log file for complete stacktrace [high level error msg] steps I've took to tackle this problem: 1) removed$WCC_DOMAIN/security folder, then re-enter username/password
result can't find SerializedSystemIni.dat file
2) create a boot.properties file in folder
result same keystore error as above
3) re-generate a new SerializedSystemIni.dat file [described here|http://www.wikiconsole.com/wiki/?p=3041]
result same keystore error as above
4) tried modify cwallet.sso [described here|https://forums.oracle.com/forums/thread.jspa?threadID=2266436]
result can't modify, content in sso file is encrtyped
5) review message with debug option enabled
result it said error from LDAP [described here|http://docs.oracle.com/cd/E17904_01/core.1111/e10043/aptrouble.htm] but I don't have LDAP enabled/installed
6) create a key store based on WCC install doc (IRM section)
result same keystore error as above

none of the steps above work, only option left I can think of, is maybe install it with wls 10.3 (seems like that's what the installation doc used). I honestly hope it could be as simple as that, but if I'm missing anything critical, please let me know.

Thank you

p.s: please feel free to ask me to post the long lengthy debug output

## DB:3.12:Weblogic Administrator Server Won't Start After A Fresh Wcc Install xp

Thanks for the tips Srinath, wrong wls version was indeed the cause. Now that I got wcc running with wls10.3.6 thank you

• RELEVANCY SCORE 3.12

## DB:3.12:Java Api To Retrieve Keys From Keystore For Owsm Custom Policy? cf

I would like to get the an instance of the keystore I configured inside Enterprise Manager and get some keys. I want to write a custom policy that accesses the configured keystore and retreive a public/private keypair. What API do I use? I found the WsmKeyStore inside oracle.wsm.security.jps packages but the implemenation is empty so this won't work. I expect the out of the box policies to also use some kind of an API. Or do I need to use a standard Java API to load my keystore. Would be pretty lame if this is the case. I hoped there is some kind of Key(Store)Cache I can retrieve keys from instead of loading the keystore file myself and extracting the keys.

Has anyone done this before?

I was expecting something like:

.. inside my custom policy ...

KeyStore ks = KeyStoreFactory.getInstance('passwd');
ks.getKeyPair("alias','password');

...

or

KeyCacheManager kcm = KeyCacheManager.getInstance();
KeyPair kp = kmc.getKeyPair("alias","passwd");

And everything is done for me without additional coding (So this manager, factory gets some cached keys or an already loaded keystore file and returns me the keys).

## DB:3.12:Java Api To Retrieve Keys From Keystore For Owsm Custom Policy? cf

I would like to get the an instance of the keystore I configured inside Enterprise Manager and get some keys. I want to write a custom policy that accesses the configured keystore and retreive a public/private keypair. What API do I use? I found the WsmKeyStore inside oracle.wsm.security.jps packages but the implemenation is empty so this won't work. I expect the out of the box policies to also use some kind of an API. Or do I need to use a standard Java API to load my keystore. Would be pretty lame if this is the case. I hoped there is some kind of Key(Store)Cache I can retrieve keys from instead of loading the keystore file myself and extracting the keys.

Has anyone done this before?

I was expecting something like:

.. inside my custom policy ...

KeyStore ks = KeyStoreFactory.getInstance('passwd');
ks.getKeyPair("alias','password');

...

or

KeyCacheManager kcm = KeyCacheManager.getInstance();
KeyPair kp = kmc.getKeyPair("alias","passwd");

And everything is done for me without additional coding (So this manager, factory gets some cached keys or an already loaded keystore file and returns me the keys).

• RELEVANCY SCORE 3.11

## DB:3.11:Java Api To Download Certificate To Client Keystore 9x

Hi,

I'm trying to write a program in Java to automate the task of downloading the digital certificate from a server and storing it in the client keystore. In my case, the server certificate is not signed by a CA.

Theoretically, I should be able to make a https connection to the server and when the server sends its certificate, I should be able to get a handle to it and store it in the keystore. However I'm not sure which is the correct set of APIs to use.

Using some hacks, I was able to get the certificate as an X509Certificate object. Is there any way to automate, using Java API, the task of storing the certificate into client keystore (without using the "keytool" utility)?

If someone could give a code fragment with an end-to-end solution, I'll appreciate it.

Thanks,
Pranav

## DB:3.11:Java Api To Download Certificate To Client Keystore 9x

Thank you. It is the only answer which works and has helped. All others only beat around the bush.

• RELEVANCY SCORE 3.11

## DB:3.11:Sending Digitally Signed Emails In Webdynpro f8

Hi,

Presently I am using Java mail api for sending emails in webdynpro. But now I also need to digitally sign the emails. I tried the following code

ISsfData data = null;

SsfProfileKeyStore profile =null;

boolean res=false;

data = new SsfDataSMIME(message,session); // "message" contains the entire email content

InitialContext ctx = new InitialContext();

Object o = (Object) ctx.lookup("keystore");

KeystoreManager manager = (KeystoreManager) o;

KeyStore keyStore = manager.getKeystore("DEFAULT");

String alias = "test";

profile = new SsfProfileKeyStore(keyStore, alias, null);

// sign the data

SsfDataSMIME data2=(SsfDataSMIME)data;

res = data2.sign(profile);

On executing this code the problem that I face is that the email is not getting signed and variable res remains false, whereas if I change the SsfDataSMIME(message, session) constructor to SsfDataXML(inputStream) then the above piece of code works fine and I am able to sign any XML file.

Can anyone tell me whats the mistake that I am doing and also suggest what all needs to be done for sending a digitally signed email.

Best Regards,

Harshit

Edited by: Harshit Madania on Jul 29, 2008 8:20 AM

## DB:3.11:Sending Digitally Signed Emails In Webdynpro f8

Hi Harshit,

I hope this link might be helpful for Sending Digitally Signed Emails.

[https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7149de90-0201-0010-0689-afa2ac5d2048]

Regards,

Sharma.

• RELEVANCY SCORE 3.11

## DB:3.11:How To Configure Ssl Certificates On Weblogic 10.3.5? p7

Hi everybody,

i' ve got 2 certificates: Server and Intermediate CA. I used java keytool command to import these two certificates into new keystore:

keytool -import -v -alias server_cert -file certificate.pem -keystore keystore.jks

keytool -import -v -alias intermediate_ca -file intermediate.pem -keystore keystore.jks

Then as weblogic 10.3.5 documentation says i need to use ImportPrivateKey utility in order to import private key into keystore, so i use this command:

java utils.ImportPrivateKey -keystore private.jks -storepass password -keyfile mykey -keyfilepass password -keyfile private.pem -alias private

and get the following error:

Exception in thread "main" java.lang.NoClassDefFoundError: utils.ImportPrivateKey
at gnu.java.lang.MainThread.run(libgcj.so.7rh)
Caused by: java.lang.ClassNotFoundException: utils.ImportPrivateKey not found in gnu.gcj.runtime.SystemClassLoader{urls=[file:./], parent=gnu.gcj.runtime.ExtensionClassLoader{urls=[], parent=null}}
at java.net.URLClassLoader.findClass(libgcj.so.7rh)
at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
at java.lang.ClassLoader.loadClass(libgcj.so.7rh)
at gnu.java.lang.MainThread.run(libgcj.so.7rh)

Any ideas? Thanks.

Regards,
Karolis M.

## DB:3.11:How To Configure Ssl Certificates On Weblogic 10.3.5? p7

Hello,

Your error message says "*Exception in thread "main" java.lang.NoClassDefFoundError: utils.ImportPrivateKey*" which can only happen if you have not set your domain environment before executing java utils.ImportPrivateKey command.

set domain environment first by executing setDomainEnv.sh or setDomainEnv.cmd (for Windows) from path *$DOMAIN_HOME/bin*. Thanks, Ranjan • RELEVANCY SCORE 3.11 ## DB:3.11:Error In Certificate Creation 1f i want to configure for an application with name myapp in tomcat for that purpose i am following procedure to create a certificate The following steps are followed for creation of SSL Certificate for tomcat version5.0 1. C:\Program Files\Java\jdk1.5.0_12\binkeytool -genkey -alias tomcat -keyalg RSA \ -keystore \path\to\my\keystore 2.keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore your_keystore_filename 3.keytool -import -alias root -keystore your_keystore_filename -trustcacerts -file filename_of_the_chain_certificate when i execute the last step it is giving following error C:\Program Files\Java\jdk1.5.0_12\binkeytool -import -alias root -keystore c:\keystore -trustcacerts -file certreq.csr Enter keystore password: changeit keytool error: java.lang.Exception: Input not an X.509 certificate please provide a solution a soon as possible ## DB:3.11:Error In Certificate Creation 1f I feel like I just answered this question recently. The .csr file is almost certainly not an X509 certificate, just like the error says. It's probably the certificate signing request you created in step 2. You have to provide this to one of the certificate authorities whose root is in the cacerts file along with some money and proof of identity and if all goes well they'll give you back an actual real x509 certificate that you can then import in step 3. • RELEVANCY SCORE 3.11 ## DB:3.11:How To Update Java Keystore On Mac Through Java Program? fx I'm trying to update CA Certificate through Java program. Using below it works fine on Windows and Linux. But on Mac it throws file permission error. KeyStore ks; String kspass='changeme'; FileOutputStream out = new FileOutputStream(ksFileName); ks.store(out, kspass.toCharArray()); out.close(); Is it possible to get the admin password through Java program and then update the keystore? Or any other options? ## DB:3.11:How To Update Java Keystore On Mac Through Java Program? fx Yes. It is file user right issue. Is it possible to get root user password through Java GUI and then set keystore? • RELEVANCY SCORE 3.10 ## DB:3.10:Error In Getting Private Key From Keystore zd Hi, I am using JKS java keystore. I have successfully added two private keys and associated certificates into the keystore. When I try to access my first private key using the method keystore.getKey(alias,password) I get the key successfully, but when I try to access the second key by using the same method, I get the following exception: java.security.UnrecoverableKeyException: excess private key at sun.security.provider.KeyProtector.recover(KeyProtector.java:314) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:106) at java.security.KeyStore.getKey(KeyStore.java:250) Any ideas to fix this problem? Regards YK ## DB:3.10:Error In Getting Private Key From Keystore zd Hi there, my reply comes quite late, but might be of interest for people facing the same problem. I also just couldn't get a certain .pfx private/public keypair into my .jks keystore (while others worked just fine). First, the CA root cert had a 4096bit RSA-key, hence unsupported by Sun's crypto-provider - but I had 4096bit RSA-implementations available from other vendors. As it has been pointed out, there seems to be an issue with Sun's keystore implementation, and can be circumvented by using third party implementations like IAIK or BouncyCastle. Still I had to import it into a Sun keystore because of backward compatibility. I finally managed to do so be splitting up the import to several steps: first, import the private key only to your .jks (without the cert chain), then import the cert chain, and finally merge them together again programmatically and store the resulting key to your keystore Kind regards, Arno Huetter • RELEVANCY SCORE 3.09 ## DB:3.09:Keystore Was Tampered With, Or Password Was Incorrect fs I keep getting a java exception in my code - java.io.IOException: Keystore was tampered with, or password was incorrect I am am storing a DESede SecretKey to disk from within servlet code - the part that gens the key and stores the key to disk works fine. The problem occurs with the servlet that reads a filename, loads the KeyStore and attempst to decrypt the encrypted file using the KeyStore. Here is the code I am using: SecretKey key; String keyPass = "mss"; char passwd[] = new char[keyPass.length()]; keyPass.getChars(0, keyPass.length(), passwd, 0); // Create an 8-byte initialization vector byte[] iv = new byte[] { (byte) 0x8E, 0x12, 0x39, (byte) 0x9C, 0x07, 0x72, 0x6F, 0x5A }; try{ //BufferedReader in = new BufferedReader(new FileReader(p_file)); FileInputStream in = new FileInputStream(p_file); String keyStoreFileName = p_file + Constants.keyStoreSuffix; // get the key from the keystore KeyStore keyStore = KeyStore.getInstance("JCEKS"); FileInputStream m_file = new FileInputStream(keyStoreFileName); keyStore.load(m_file, passwd); //initialize keyStore key = (SecretKey)keyStore.getKey(Constants.keyStoreAlias,passwd); AlgorithmParameterSpec paramSpec = new IvParameterSpec(iv); // get a cipher, initialize, read in the file and de-crypt Cipher c = Cipher.getInstance("DESede/CFB/PKCS5Padding"); c.init(Cipher.DECRYPT_MODE, key, paramSpec); CipherInputStream m_cipherIn = new CipherInputStream(in,c); InputStreamReader m_streamReader = new InputStreamReader(m_cipherIn); BufferedReader m_bufReader = new BufferedReader( m_streamReader ); ===================================== Again, the error message I get in my logfile is: java.io.IOException: Keystore was tampered with, or password was incorrect. Any help would be greatly appreciated. - Lana ## DB:3.09:Keystore Was Tampered With, Or Password Was Incorrect fs Got it! I found that I left out Certificate[] chain = new Certificate[1]; String alias = "mss_alias"; keyStore.setKeyEntry(alias, key, passwd, chain); when I stored created and stored the key, so the passwords did not match. Dope! • RELEVANCY SCORE 3.09 ## DB:3.09:Unable To Find Valid Certification Path z8 Hi all, I am facing some problems with my grails application while connecting to a mail server using javax.mail over a SSL connection with a certificate from startCom. No idea if the issuer is important here, I just mention it as its CA root certificate is not included in the JRE's default keystore. The application raises the following exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. Failed messages: javax.mail.MessagingException: Exception reading response;I had this problem on a different machine before and was able to solve it using the InstallCert.java tool. But now I changed the host computer which runs a JDK_1.6.0._21 (64) on Windows 7 (64) and the above method does not work anymore. The InstallCert.java however affirms that the certificate has been added to the keystore: Loading KeyStore C:\Program Files\Java\jdk1.6.0_21\jre\lib\security\cacerts... Opening connection to www.myserver.com:443... Starting SSL handshake... No errors, certificate is already trustedThe keytool tool however expects the keystore in the home directory (\Users\currentUser\.keystore) If the file is added, it lists the installed certs just fine (including the self signed one which was added using InstallCert.java) but this does not solve the problem either. That made me think that perhaps the grails application looks for certificates even in an different keystore. As a first step to clear the issue, is there a way to programmatically print the keystore file used to the console? Thanks Simon ## DB:3.09:Unable To Find Valid Certification Path z8 Please don't post in threads that are long dead and don't hijack other threads. When you have a question, start your own topic. Feel free to provide a link to an old post that may be relevant to your problem. I'm locking this thread now. • RELEVANCY SCORE 3.09 ## DB:3.09:How To Store Public And Private Keys Without A Keystore? sx Hi All, I have generated a private key (RSA) and need to import it into my java program. So when using openssl and running this command: openssl genrsa -out /opt/ecelerity/etc/dkim/example.com/myKey512.key 512I get one key file (myKey512.key). This file also contains the public key. I need to read in the myKey512.key file and store it in a database (in Base64 format). We have done this previously with a Keystore object, which we loaded with the private key and a cert. However, we are not using the keys for certs so I can't use a Keystore. Does anyone know of any other object we can use for storing the keys? Thanks! ## DB:3.09:How To Store Public And Private Keys Without A Keystore? sx This might help: http://juliusdavies.ca/commons-ssl/pkcs8.html This way you can store your 'myKey512.key' file directly in the database as VARBINARY. When you want to retrieve it just throw the raw bytes into my PKCS8Key() constructor, like so: byte[] myRawKey = somehowGetFromDatabase(); // Null password. If your key was encrypted by openssl, // then you'll need to supply it instead of null. char[] password = null; PKCS8Key pkcs8 = new PKCS8Key(myRawKey, password); PrivateKey private = pkcs8.getPrivateKey(); PublicKey public = pkcs8.getPublicKey(); 'myKey512.key' doesn't have to be PKCS8 format. It can be any of these formats: http://juliusdavies.ca/commons-ssl/samples/rsa_result.html • RELEVANCY SCORE 3.09 ## DB:3.09:Keystore Question s9 I have been digging around on this for a while now, with little success. I have a valid X509 certificate from a trusted CA that I purchased recently. I need to know if there is a way to get the private key from this cert into a java keystore. I've been able to load the private key into a keystore by converting the cert into a .pfx file and importing it into the keystore, but this only imports a keyentry into the keystore, not a trustedCert entry as well. What I have now works great for signing documents (which is what i need to do with this cert), but when I try to verify the generated signature with the public key found in my original certificate, it fails -- hence the problem. So my question is - Is there a way to get a private key from a certificate (.cer,.der) into a java keystore, or a trustedCert entry from a .pfx file ? Any help at all will be greatly appreciated. :-) Thanks in Advance. ## DB:3.09:Keystore Question s9 If you used InternetExplorer for this have a look in its own key store. You can export from here. Somewhere on one of the menus ... I don't have a current IE so I can't help you further. • RELEVANCY SCORE 3.08 ## DB:3.08:Importing Public Key Into Keystore c3 Hello, I have a public key in pem format (file starts with '-----BEGIN PUBLIC KEY-----). The key isn't wrapped into any certificate. Is there a way to import it into java keystore? ## DB:3.08:Importing Public Key Into Keystore c3 He's interested in importing a public key, not a private key. It's not in a certificate. And he wants to put it into a keystore. • RELEVANCY SCORE 3.08 ## DB:3.08:Null Keystore Exception 9p Dear team,we are working on OSB 11.1.1.7 version. When we are restarting our ADMIns erver and OSB server we are getting the below error in log . Error Security BEA-090892 The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed. Critical WebLogicServer BEA-000386 Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed.weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed. We added the -Djava.security.debug=jpspolicy in server start up file. In out file we can see the below error: /app/oracle/soa/wlserver_10.3/server/lib/DemoTrust.jks]policy: reading file:/app/oracle/soa/wlserver_10.3/server/lib/weblogic.policyjava.lang.IllegalArgumentException: null KeyStore nameat sun.security.util.PolicyUtil.getKeyStore Please suggest. ## DB:3.08:Null Keystore Exception 9p Dear team,we are working on OSB 11.1.1.7 version. When we are restarting our ADMIns erver and OSB server we are getting the below error in log . Error Security BEA-090892 The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed. Critical WebLogicServer BEA-000386 Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed.weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: JPS-06514: Opening of file based keystore failed. We added the -Djava.security.debug=jpspolicy in server start up file. In out file we can see the below error: /app/oracle/soa/wlserver_10.3/server/lib/DemoTrust.jks]policy: reading file:/app/oracle/soa/wlserver_10.3/server/lib/weblogic.policyjava.lang.IllegalArgumentException: null KeyStore nameat sun.security.util.PolicyUtil.getKeyStore Please suggest. • RELEVANCY SCORE 3.08 ## DB:3.08:Pkcs12keystore.Engineload Error pm The following code produces an error that I do not recognize. I believe that my JRE environment is missing some sort of file, because I copied my JRE from another workstation, and the code runs on the good workstation. Good workstation: J2SDK 1.4.1_03 (build 1.4.1_03-b02, mixed mode) Troubled workstation: J2SDK 1.4.1_01 (build 1.4.1_01-b01, mixed mode) CODE SNIP ByteArrayInputStream pfxByteStream = new ByteArrayInputStream(pfxData); // Do we need to make a KeyStore Object? if (m_ks == null) { // Use Sun's keystore to decode the PKCS12 buffer. m_ks = KeyStore.getInstance("PKCS12"); } // Make sure KeyStore in memory is initialized as empty. m_ks.load(null, null); /* ** Populate the keystore with cert data. ** WARNING: IF PREVIOUS VALUES EXIST IN THE KEYSTORE, ** EACH CALL TO "KeyStore.LOAD()" WILL CAUSE THE KEYSTORE ** TO REINITIALIZE, AND ALL PREVIOUS KEYSTORE VALUES ARE ** DELETED!!! */ m_ks.load(pfxByteStream, m_privKeyPassword.toCharArray()); pfxByteStream.close(); END CODE SNIP __________________________________________ Error message from Troubled workstation: java.lang.NoSuchMethodError: sun.security.util.DerInputStream.getInteger()Lsun/security/util/BigInt; at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA6275) at java.security.KeyStore.load(KeyStore.java:652) at com.myCompany.security.njtls.keymanager.MyKeyManagerImpl.transferCertificateData(MyKeyManagerImpl.java:688) ___________________________________________ I discovered that the file "RT.JAR" 22,940 kb 9/30/2002 holds the class DerInputStream and BigInt, so I placed that version of RT.JAR into ...\JRE\LIB\EXT directory of the Troubled workstation, but it didn't matter. I still got the same old "java.lang.NoSuchMethodError" I thought I might have other versions of RT.JAR laying around, so I searched the whole disk and found no other copies. I wonder if there could be some other reason why I'm getting this error. Any thoughts? -Paul ## DB:3.08:Pkcs12keystore.Engineload Error pm More info... _______________________________________________ Java Doc says: public class NoSuchMethodError extends IncompatibleClassChangeError Thrown if an application tries to call a specified method of a class (either static or instance), and that class no longer has a definition of that method. Normally, this error is caught by the compiler; this error can only occur at run time if the definition of a class has incompatibly changed. _______________________________________________ The last paragraph makes we wonder, what definition of the class sun.security.util.DerInputStream has "incompatibly changed?" -Paul • RELEVANCY SCORE 3.08 ## DB:3.08:Java 1.4.2_02 Keystore Password? 3f I am trying to import a self-signed cert using the keytool. I am running j2re1.4.2_02 om windows 2000. When prompted with the password I enter "changeit" like I have been doing with previous Java release. It seems as though the keystore default password has changed. Because I keep getting the error "keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect." It looks like Java is now using the deployment.jsscerts file below "C:\Documents and Settings\dean\Application Data\Sun\Java\Deployment\security\deployment.jssecerts" I had previously imported the cert into the cacerts file C:\Program Files\Java\j2re1.4.2_02\lib\security\cacerts However I see via the Java Plugin control panel that the jsscerts file is now being used. Can anyone tell me what the default password is to the deployment.jsscets keystore ? Thanks ## DB:3.08:Java 1.4.2_02 Keystore Password? 3f Like it says, the password was incorrect, but please don't hijack threads, start your own. • RELEVANCY SCORE 3.08 ## DB:3.08:Dealing With Keystore Larger Than Available Memory. kp Hi, I'm manipulating a JCEKS/SunJCE KeyStore that has grown larger than available memory on the machine. I need to be able to quickly lookup/create/and sometimes delete keys. Splitting into multiple KeyStores and loading/unloading based on which one the particular request needs isn't ideal. Can anyone recommend a file backed KeyStore that doesn't depend on loading the entire file into memory to work with the KeyStore? Or perhaps a different way of using the existing framework? Thanks, Niall ## DB:3.08:Dealing With Keystore Larger Than Available Memory. kp OK, so now I understand you're talking about a very specific kind of BER encoding known as indefinite length encoding. But I still don't see how it helps: it seems to hurt more than it helps. I would guess if your keystore gets as large as the OP was suggesting, you might want to implement your own using DB technology, e.g. mysql. I think your suggestions of starting with the BC is a good idea. • RELEVANCY SCORE 3.08 ## DB:3.08:Failure In Signing Data z3 Hi all, I have a problem in a scenario where I have to generate a signature for a part of the xml data of a message. This signature has to be moved to a special tag within the document. Therefore I created a Java Mapping where I access the keystore of the J2EE Engine and generate the signature. Part of the Implementation: InitialContext context = new InitialContext(env); manager = (KeystoreManager) context.lookup("keystore"); KeyStore keyStore = null; keyStore = manager.getKeystore("DEFAULT"); SsfProfileKeyStore profile = null; profile = new SsfProfileKeyStore(keyStore, alias, null); PrivateKey key = profile.getPrivateKey(); Signature sig = Signature.getInstance("RSA"); sig.initSign(key); sig.update(data); signature = sig.sign(); When I create the InitialContext over remote and run it within the Developer Studio for example with file streams it works fine. But after import to the Integration Builder integration into an interface mapping, I get an Exception with this error: javax.crypto.BadPaddingException: PKCS#1 requires data at least 11 bytes shorter than the modulus! When I write the format of the key to the trace it is PKCS#8, as it should be. Do someone has an idea where the runtime thinks it should handle the signature with PKCS#1? Thanks Regards Olli ## DB:3.08:Failure In Signing Data z3 Hi Oliver, Did you get solution to this problem. Please let me know if you have the solution. Thx • RELEVANCY SCORE 3.08 ## DB:3.08:Error While Importing Ca Cert Into Kerstore ac Hi all, I am facing below error while importing CA cet or trusted cert into keystore: bash-3.00$ keytool -import -v -trustcacerts -alias tcstestenv -file TCStestCA.cer -keystore keystore.jks
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
java.lang.Exception: Public keys in reply and keystore don't match
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
bash-3.00$keytool -import -v -trustcacerts -alias tcstestenv -file TCStestCA.cer -keystore keystore.jks Enter keystore password: keytool error: java.lang.Exception: Public keys in reply and keystore don't match java.lang.Exception: Public keys in reply and keystore don't match at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618) at sun.security.tools.KeyTool.installReply(KeyTool.java:1870) at sun.security.tools.KeyTool.doCommands(KeyTool.java:807) at sun.security.tools.KeyTool.run(KeyTool.java:172) at sun.security.tools.KeyTool.main(KeyTool.java:166) bash-3.00$ keytool -import -v -alias tcstestenv -file TCStest.cer -keystore keystore.jks
Enter keystore password:
keytool error: java.lang.Exception: Public keys in reply and keystore don't match
java.lang.Exception: Public keys in reply and keystore don't match
at sun.security.tools.KeyTool.establishCertChain(KeyTool.java:2618)
at sun.security.tools.KeyTool.installReply(KeyTool.java:1870)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:807)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)

Regards
Sunitha

## DB:3.08:Error While Importing Ca Cert Into Kerstore ac

Hello Sunitha,

Could you solve this issue?

Regards,
Anuj

• RELEVANCY SCORE 3.07

## DB:3.07:Java Ibm Mq With Ssl X509 1k

Hi

I need some help to figure out how to solve this problem.

I have a Java 6 Application (SUN JRE 6) that connect to and IBM MQ 7.
Without SSL i am able to connect and put some content on the queue!

But the trouble begins when we are enabling security.

We have got an X509 certificate from a signing company.
We have imported this key into a java keystore (with help from the signing company)
we used the IBM Key Managment Tool for this.

So we now having a key file: key.jks which are placed right beside the java application in the same folder.

We have been told to use SSL CipherSpec: TLS_RSA_WITH_AES_128_CBC_SHA
But does this mean that we must use the CipherSuite: SSL_RSA_WITH_AES_128_CBC_SHA ???

We are using the following code to connect with SSL:

// Queue manager details
String qmgrName = this.qManager;
Hashtable props = new Hashtable();
props.put(MQC.CHANNEL_PROPERTY, this.channel);
props.put(MQC.HOST_NAME_PROPERTY, this.hostname);
props.put(MQC.PORT_PROPERTY, new Integer(1410));

// SSL details

//should we use the ciphersuite or the cipherspec???
props.put(MQC.SSL_CIPHER_SUITE_PROPERTY, "SSL_RSA_WITH_AES_128_CBC_SHA");

//Are the relative path OK to use or should we use an absolute path?
String keyStorePath = "key.jks";
String trustStorePath = "key.jks";
String password = "thecode";

// Create a keystore object for the keystore
KeyStore keyStore = KeyStore.getInstance("JKS");

// Open our file and read the keystore
FileInputStream keyStoreInput = new FileInputStream(keyStorePath);
try
{
keyStore.load(keyStoreInput, password.toCharArray());
}
finally
{
keyStoreInput.close();
}

// Create a keystore object for the truststore
KeyStore trustStore = KeyStore.getInstance("JKS");

// Open our file and read the truststore (no password)
FileInputStream trustStoreInput = new FileInputStream(trustStorePath);
try {
trustStore.load(trustStoreInput, null);
} finally { trustStoreInput.close(); }

// Create a default trust and key manager
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

// Initialise the managers
trustManagerFactory.init(trustStore);
keyManagerFactory.init(keyStore,password.toCharArray());

// Get an SSL context. For more information on providers see:
// http://www.ibm.com/developerworks/library/j-ibmsecurity.html
// Note: Not all providers support all CipherSuites.
SSLContext sslContext = SSLContext.getInstance("TLS_SSL");//getDefault();
System.out.println("SSLContext provider: " +
sslContext.getProvider().toString());

// Initialise our SSL context from the key/trust managers
//sslContext.init(keyManagerFactory.getKeyManagers(),
// trustManagerFactory.getTrustManagers(), null);

// Get an SSLSocketFactory to pass to WMQ
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

// Set the socket factory in our WMQ parameters
props.put(MQC.SSL_SOCKET_FACTORY_PROPERTY, sslSocketFactory);

// Connect to WMQ
MQQueueManager qmgr = new MQQueueManager(qmgrName, props);
try {

// Query the description
String desc = qmgr.getDescription();

// Output the description
System.out.println("Queue Manager DESCR: \"" + desc + "\"");

} finally { qmgr.disconnect();}
In this line we are having some problems:
SSLContext sslContext = SSLContext.getInstance("SSL_TLS");//getDefault();
This Exception is being thrown: java.security.NoSuchAlgorithmException: SSL_TLS SSLContext not available

If we instead use:
SSLContext sslContext = SSLContext.getDefault();

We can continue to the line:
MQQueueManager qmgr = new MQQueueManager(qmgrName, props);
But then it is throwing this exception:
com.ibm.mq.jmqi.JmqiException: CC=2;RC=2393;AMQ9204: Connection to host '*********(****)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2393;AMQ9771: SSL handshake failed. [1=java.lang.IllegalArgumentExceptionUnsupported ciphersuite SSL_RSA_WITH_AES_128_CBC_SHA],3=131.165.93.73/131.165.93.73:1414 (131.165.93.73),4=SSLSocket.createSocket,5=com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl@151f910]],3=131.165.93.73(1414),5=RemoteTCPConnection.makeSocketSecure

What does this mean? Does it mean that the IBM MQ Server are saying that the specified ciphersuite is not supported? Or?

What about JSSE Java Secure Socket Extension is this bundled into Java 6 - 1.6 ?

Is it enough to use SUN JRE 6 with som additional jars in order to use IBM MQ with SSL and X509 or should real IBM MQ client software be installed on my PC and on the resulting production machine

Are we doing something in the wrong manner?

## DB:3.07:Java Ibm Mq With Ssl X509 1k

Hi,

This forum is for Oracle MessageQ (also known as BEA MessageQ and DEC MessageQ), not IBM MQ Series. I doubt there is an Oracle forum focused on IBM MQ Series.

Regards,
Todd Little
Oracle Tuxedo Chief Architect

• RELEVANCY SCORE 3.07

## DB:3.07:Re: Problem With Ssl And Wsdl. dj

1. You should use the standard Java truststore. That's the file that tells you which received certificates to trust.

2. Your own private key and certificate must go into a keystore. That's defined by javax.net.ssl.keyStore/keyStorePassword. This is the same kind of file as a truststore, but it is functionally completey different: it is the source of the certificate the error message is talking about. As you haven't defined a keystore at all, you can't send a certificate, so you will get this error.

Note that normally you have to generate the private key in the keystore, export a CSR, get it signed, and import the signed CSR back into the keystore using the same alias. You might be able to import the entire file you were given using the -importkeystore option and naming the source keystore type, I've never done that.

## DB:3.07:Re: Problem With Ssl And Wsdl. dj

Locking this as it is being addressed in your [other thread on the same topic in the correct forum|http://forums.sun.com/thread.jspa?threadID=5450744messageID=11051264#11051264].

• RELEVANCY SCORE 3.06

## DB:3.06:Please Help...Jsse And Certificates And Private Keys 3x

Hi,

I am trying to connect a Java test client to a Java test server using a certificate I generated using openSSL. I put the contents of the .pem file in a keystore using keytool and now I have a keystore with this trusted certificate in it. I also put the certificate in the cacerts. The keystore does not contain the private key of this entity.
How can I initialize the SSL Context using this certificate? I realize that I cannot do:
ks.load(new FileInputStream(serverKeyFile), passphrase);

kmf.init(ks, passphrase);
ctx.init(kmf.getKeyManagers(), null, null);
SSLServerSocketFactory ssf =
ctx.getServerSocketFactory();
since the private key is missing from this keystore. And I can't use getDefault(), either. Is there a way to put the private key that's in a .key file in this keystore? If not, how can I create an SSLServerSocketFactory object that will work correctly??

I would appreciate any suggestions.

Sachiko

## DB:3.06:Please Help...Jsse And Certificates And Private Keys 3x

Did you solve this problem. I have the exactly same problem to be solved.
Please email the solution to dskrishna@hotmail.com

• RELEVANCY SCORE 3.06

## DB:3.06:Problems Accessing Certificates In Windows Keystore d1

Hi,
I'm trying to access the Windows keystore via a Java program. Instantiating the Keystore with KeyStore.getInstance("Windows-MY"); or with "Windows-ROOT" works fine. I'm able to get the key or certificate stored in the PERSONAL or ROOT category of the windows keystore.
My problem however is that the certificate, which I (or a user of my application) download from the web is "implicitly installed" into the OTHERS category, where it is invisible for me from the java code. (By "implicit installation" I mean that when the cert. installation wizard Windows opens after "executing" the certificate file, I select the Automatic installation option).
I can of course select the PERSONAL category manually, but it'd be nicer if the users didn't have to worry about that.
Is there a way how to access the OTHERS category of the Windows keystore?

## DB:3.06:Problems Accessing Certificates In Windows Keystore d1

Question should be in the cryptography forum, but the answer is no.

• RELEVANCY SCORE 3.06

## DB:3.06:How To Load The Certificate Authority Into The Keystore For The Weblogic8.1 dd

how to load the certificate authority into the keystore for the weblogic8.1
==================================================
Getting the message below when trying to improt the certificate to the weblogic 8.1 web server. Received this certificate from our internal IT certificate authority. Trying to import the certificate to our test sytem.
===================================================
keytool error: java.lang.Exception: Failed to establish chain from reply

Import failed. Verify that the Certificate Authority that signed 'certi.pem'
has been loaded into your keystore 'keystore\pskey'

To view keystore contents issue 'PSkeymanager -list -keystore keystore\pskey [-v
]'
To preview a certificate file issue 'PSkeymanager -previewfilecert -file certi.pem'

## DB:3.06:How To Load The Certificate Authority Into The Keystore For The Weblogic8.1 dd

how to load the certificate authority into the keystore for the weblogic8.1
==================================================
Getting the message below when trying to improt the certificate to the weblogic 8.1 web server. Received this certificate from our internal IT certificate authority. Trying to import the certificate to our test sytem.
===================================================
keytool error: java.lang.Exception: Failed to establish chain from reply

Import failed. Verify that the Certificate Authority that signed 'certi.pem'
has been loaded into your keystore 'keystore\pskey'

To view keystore contents issue 'PSkeymanager -list -keystore keystore\pskey [-v
]'
To preview a certificate file issue 'PSkeymanager -previewfilecert -file certi.pem'